OWASP 24/7http://https://www.owasp.org/index.php/OWASP_Podcast
Wed, 30 Nov 2016 21:57:27 +0000Wed, 30 Nov 2016 21:57:27 +000060enAll rights reservedfeeds@soundcloud.com (SoundCloud Feeds)OWASP 24/7 is a recorded series of discussions with project leads within OWASP. Each week, we talk about the new projects that have come on board, updates to existing projects and interesting bits of trivia that come across our desk. OWASP 24/7 is a recorded series of discussions wi…OWASP 24/7feeds@soundcloud.comOWASP 24/7nohttp://i1.sndcdn.com/avatars-000058237903-5qc6ry-original.jpgOWASP 24/7http://https://www.owasp.org/index.php/OWASP_Podcast
tag:soundcloud,2010:tracks/2956091582016 AppSec USA - An Update on the WebGoat ProjectWed, 30 Nov 2016 21:57:27 +0000https://soundcloud.com/owasp-podcast/2016-appsec-usa-an-update-on-the-webgoat-project
00:13:56OWASP 24/7noWebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. It is one of the most used projects at OWASP.
With the current team headed by Bruce Mayhew, Nanne Baars and Jason White, work is moving forward on the creation of new content for creating training lessons for application security. I talked with Bruce and team about what they've done with the latest update and what they hope to accomplish in the coming year.WebGoat is a deliberately insecure web applicatio…WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. It is one of the most used projects at OWASP.
With the current team headed by Bruce Mayhew, Nanne Baars and Jason White, work is moving forward on the creation of new content for creating training lessons for application security. I talked with Bruce and team about what they've done with the latest update and what they hope to accomplish in the coming year.tag:soundcloud,2010:tracks/2873180892016 AppSec USA: The Core Rule Set Project w/ Chaim SandersWed, 12 Oct 2016 14:07:10 +0000https://soundcloud.com/owasp-podcast/the-core-rule-set-project-w-chaim-sanders
00:09:52OWASP 24/7noThe OWASP ModSecurity Core Rule Set Project's goal is to provide an easily "pluggable" set of generic attack detection rules that provide a base level of protection for any web application. Chaim Sanders,Ryan Barnett, Christian Folini and Walter Hop are the team coordinating the project.
During 2016 AppSec USA, I spoke with Chaim about the purpose of the project, the work work done in the past year, the upcoming release and what the team hopes to accomplish in 2017.
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_ProjectThe OWASP ModSecurity Core Rule Set Project's goa…The OWASP ModSecurity Core Rule Set Project's goal is to provide an easily "pluggable" set of generic attack detection rules that provide a base level of protection for any web application. Chaim Sanders,Ryan Barnett, Christian Folini and Walter Hop are the team coordinating the project.
During 2016 AppSec USA, I spoke with Chaim about the purpose of the project, the work work done in the past year, the upcoming release and what the team hopes to accomplish in 2017.
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Projecttag:soundcloud,2010:tracks/286808893The Future of DevSecOps w/ Shannon Lietz and Chris Swan, Live From IP Expo LondonSun, 09 Oct 2016 06:15:19 +0000https://soundcloud.com/owasp-podcast/the-future-of-devsecops-w-shannon-lietz-and-chris-swann-live-from-ip-expo-london
00:57:23OWASP 24/7noThis is a live recording from 2016 IP Expo London, with Shannon Lietz (Intuit), Chris Swan (CSC) and host Mark Miller (Sonatype) discussing the future of security as it relates to DevOps. Shannon and Chris are real world practitioners, bringing stories from the trenches. We initially start with where the term DevSecOps came from, then move on to the future of automated security as part of the DevOps ecosystem.This is a live recording from 2016 IP Expo London…This is a live recording from 2016 IP Expo London, with Shannon Lietz (Intuit), Chris Swan (CSC) and host Mark Miller (Sonatype) discussing the future of security as it relates to DevOps. Shannon and Chris are real world practitioners, bringing stories from the trenches. We initially start with where the term DevSecOps came from, then move on to the future of automated security as part of the DevOps ecosystem.tag:soundcloud,2010:tracks/2835716592016 Board Election Interviews - Part Four of Four - Members, Projects, Conferences, ChaptersMon, 19 Sep 2016 05:07:07 +0000https://soundcloud.com/owasp-podcast/2016-board-election-interviews-part-fourth-of-four
00:16:33OWASP 24/7noToday's podcast is the fourth in a series of four, talking with prospective 2016 board members. Today's question is, "What is more important to you as a candidate 1) Members 2) Projects 3) Conferences 4) Chapters "
The format for today's Q&A with potential board members is simple. We ask a single question. Each candidate has 2 minutes to respond to the question. These recordings were done using google hangouts, so there will be slight sound glitches and background noises during some of the answers.
Today's podcast is the fourth in a series of four…Today's podcast is the fourth in a series of four, talking with prospective 2016 board members. Today's question is, "What is more important to you as a candidate 1) Members 2) Projects 3) Conferences 4) Chapters "
The format for today's Q&A with potential board members is simple. We ask a single question. Each candidate has 2 minutes to respond to the question. These recordings were done using google hangouts, so there will be slight sound glitches and background noises during some of the answers.
tag:soundcloud,2010:tracks/2834296252016 Board Election Interviews - Part Three of Four - Most Important IssuesSun, 18 Sep 2016 05:24:33 +0000https://soundcloud.com/owasp-podcast/2016-board-election-interviews-part-three-of-four
00:18:17OWASP 24/7noToday's podcast is the third in a series of four, talking with prospective 2016 board members. Today's question is, "What is the single most important issue for you to tackle if elected to the board?"
The format for today's Q&A with potential board members is simple. We ask a single question. Each candidate has 2 minutes to respond to the question. These recordings were done using google hangouts, so there will be slight sound glitches and background noises during some of the answers.Today's podcast is the third in a series of four,…Today's podcast is the third in a series of four, talking with prospective 2016 board members. Today's question is, "What is the single most important issue for you to tackle if elected to the board?"
The format for today's Q&A with potential board members is simple. We ask a single question. Each candidate has 2 minutes to respond to the question. These recordings were done using google hangouts, so there will be slight sound glitches and background noises during some of the answers.tag:soundcloud,2010:tracks/2830449732016 Board Election Interviews - Part Two of Four - Vendor NeutralityThu, 15 Sep 2016 16:11:25 +0000https://soundcloud.com/owasp-podcast/2016-board-election-interviews-part-two-of-four
00:19:43OWASP 24/7noToday's podcast is the second in a series of four, talking with prospective 2016 board members. Today's question is, "Do you consider vendor neutrality an issue at OWASP? If so, why?"
The format for today's Q&A with potential board members is simple. We ask a single question. Each candidate has 2 minutes to respond to the question. These recordings were done using google hangouts, so there will be slight sound glitches and background noises during some of the answers.
Today's podcast is the second in a series of four…Today's podcast is the second in a series of four, talking with prospective 2016 board members. Today's question is, "Do you consider vendor neutrality an issue at OWASP? If so, why?"
The format for today's Q&A with potential board members is simple. We ask a single question. Each candidate has 2 minutes to respond to the question. These recordings were done using google hangouts, so there will be slight sound glitches and background noises during some of the answers.
tag:soundcloud,2010:tracks/2828981812016 OWASP Board Election Interviews - Part One of Four - Developer ParticipationWed, 14 Sep 2016 17:06:34 +0000https://soundcloud.com/owasp-podcast/2016-board-election-interviews-part-one-of-four
00:20:12OWASP 24/7noToday's podcast is the first in a series of four, talking with prospective 2016 board members. Today's question is, "What kind of action plan do you have in mind to help motivate the participation of Developers into OWASP community."
The format for today's Q&A with potential board members is simple. We ask a single question. Each candidate has 2 minutes to respond to the question. These recordings were done using google hangouts, so there will be slight sound glitches and background noises during some of the answers.Today's podcast is the first in a series of four,…Today's podcast is the first in a series of four, talking with prospective 2016 board members. Today's question is, "What kind of action plan do you have in mind to help motivate the participation of Developers into OWASP community."
The format for today's Q&A with potential board members is simple. We ask a single question. Each candidate has 2 minutes to respond to the question. These recordings were done using google hangouts, so there will be slight sound glitches and background noises during some of the answers.tag:soundcloud,2010:tracks/282062390AppSec USA 2016 Pre-Conference UpdateFri, 09 Sep 2016 03:44:36 +0000https://soundcloud.com/owasp-podcast/appsec-usa-pre-conference-update
00:16:46OWASP 24/7noFrom October 11 - 14, 2016, appsec professionals from around the world will gather in Washington DC to participate in one of this year's main OWASP events, AppSec USA 2016. In this broadcast, I speak with three organizers of the event (Andrew Weidenhamer, Mike McCabe, Patrick Cooley )to get insight as to what to anticipate at the conference, the unique qualities of an AppSec USA event, and a sneak peek at the sessions that will be given over the 4 day event.From October 11 - 14, 2016, appsec professionals …From October 11 - 14, 2016, appsec professionals from around the world will gather in Washington DC to participate in one of this year's main OWASP events, AppSec USA 2016. In this broadcast, I speak with three organizers of the event (Andrew Weidenhamer, Mike McCabe, Patrick Cooley )to get insight as to what to anticipate at the conference, the unique qualities of an AppSec USA event, and a sneak peek at the sessions that will be given over the 4 day event.tag:soundcloud,2010:tracks/278878600Security as Part of Continuous Delivery with Sacha LaboureyThu, 18 Aug 2016 22:51:03 +0000https://soundcloud.com/owasp-podcast/security-as-part-of-continuous-delivery-with-sacha-lebourey
00:17:58OWASP 24/7noContinuing the theme of integrating security in DevOps processes, I spoke with Sacha Lebourey, CEO of Cloudbees, during a stop at CD Summit in London. As one of the main players in the software supply chain for DevOps, I was interested in Sacha's perspective on how automated security fit into that supply chain. We start the discussion with "What is continuous delivery" followed by the place for security in the modern developer environment.
About Sacha Labourey
Sacha was born in Neuchâtel, Switzerland and graduated in 1999 from EPFL. It was during Sacha’s studies in 1996 that he started his first consulting business - Cogito Informatique. In 2001, he joined Marc Fleury’s JBoss project as a core contributor and implemented JBoss’ original clustering features. In 2003, Sacha founded the European headquarters for JBoss and, as GM for Europe, led the strategy and partnerships that helped fuel the company’s growth in that region. While in this position, he led the recruitment of some of JBoss’ key talent and acquisition of key technology.
In 2005, he was appointed CTO of JBoss, Inc. and oversaw all of JBoss engineering. In June 2006, JBoss, Inc. was acquired by Red Hat (NYSE:RHT). After the acquisition, Sacha remained JBoss CTO and played a crucial role in integrating and productizing JBoss software with Red Hat offerings.
In 2007, Sacha became co-General Manager of Red Hat’s middleware division. He ultimately left Red Hat in April 2009 and founded CloudBees in April 2010.
Continuing the theme of integrating security in D…Continuing the theme of integrating security in DevOps processes, I spoke with Sacha Lebourey, CEO of Cloudbees, during a stop at CD Summit in London. As one of the main players in the software supply chain for DevOps, I was interested in Sacha's perspective on how automated security fit into that supply chain. We start the discussion with "What is continuous delivery" followed by the place for security in the modern developer environment.
About Sacha Labourey
Sacha was born in Neuchâtel, Switzerland and graduated in 1999 from EPFL. It was during Sacha’s studies in 1996 that he started his first consulting business - Cogito Informatique. In 2001, he joined Marc Fleury’s JBoss project as a core contributor and implemented JBoss’ original clustering features. In 2003, Sacha founded the European headquarters for JBoss and, as GM for Europe, led the strategy and partnerships that helped fuel the company’s growth in that region. While in this position, he led the recruitment of some of JBoss’ key talent and acquisition of key technology.
In 2005, he was appointed CTO of JBoss, Inc. and oversaw all of JBoss engineering. In June 2006, JBoss, Inc. was acquired by Red Hat (NYSE:RHT). After the acquisition, Sacha remained JBoss CTO and played a crucial role in integrating and productizing JBoss software with Red Hat offerings.
In 2007, Sacha became co-General Manager of Red Hat’s middleware division. He ultimately left Red Hat in April 2009 and founded CloudBees in April 2010.
tag:soundcloud,2010:tracks/274748464Unicorns on an Aircraft Carrier: DevOps Security at Scale with Sanjeev SharmaThu, 21 Jul 2016 19:49:39 +0000https://soundcloud.com/owasp-podcast/unicorns-on-an-aircraft-carrier-devops-security-at-scale-with-sanjeev-sharma
00:22:54OWASP 24/7noSanjeev Sharma is a Distinguished Engineer at IBM. His main concern is how DevOps initiative scale in large enterprises. In this wide ranging discussion recorded during CD Summit in Stockholm, I talk with Sanjeev about DevOps adoption, how security will play a critical role in any automated, scalable solution and the transition of traditional IT operations to the role of service provider. Sanjeev Sharma is a Distinguished Engineer at IBM…Sanjeev Sharma is a Distinguished Engineer at IBM. His main concern is how DevOps initiative scale in large enterprises. In this wide ranging discussion recorded during CD Summit in Stockholm, I talk with Sanjeev about DevOps adoption, how security will play a critical role in any automated, scalable solution and the transition of traditional IT operations to the role of service provider. tag:soundcloud,2010:tracks/2731094862016 State of the Software Supply Chain Report with Derek WeeksMon, 11 Jul 2016 05:24:12 +0000https://soundcloud.com/owasp-podcast/2016-software-supply-chain-report-with-derek-weeks
00:16:24OWASP 24/7noThe "State of the Software Supply Chain Report" featured in today's show is an industry report produced by Sonatype. In the spirit of full disclosure, Mark Miller is the Senior Storyteller and DevOps Advocate for Sonatype. That said, no products are mentioned, nothing is being sold. Sonatype is the steward of the Central Repository and has access to an incredible set of data. The information in the report relates directly to A9 within the OWASP Top 10: Using components with known vulnerabilities. The full report is available as a free download.
To describe the findings of the report and the discoveries made from analyzing the open source download patterns of 3000 companies, I spoke with Derek Weeks, VP and Rugged DevOps Advocate from Sonatype.The "State of the Software Supply Chain Report" f…The "State of the Software Supply Chain Report" featured in today's show is an industry report produced by Sonatype. In the spirit of full disclosure, Mark Miller is the Senior Storyteller and DevOps Advocate for Sonatype. That said, no products are mentioned, nothing is being sold. Sonatype is the steward of the Central Repository and has access to an incredible set of data. The information in the report relates directly to A9 within the OWASP Top 10: Using components with known vulnerabilities. The full report is available as a free download.
To describe the findings of the report and the discoveries made from analyzing the open source download patterns of 3000 companies, I spoke with Derek Weeks, VP and Rugged DevOps Advocate from Sonatype.tag:soundcloud,2010:tracks/272453386Security as Part of DevOps and Development with Jason SchmittWed, 06 Jul 2016 16:04:33 +0000https://soundcloud.com/owasp-podcast/security-as-part-of-devops-and-development-with-jason-schmitt
00:28:25OWASP 24/7noJason Schmitt's passion is to assure security is built into the development process, not just as a bolt-on add-on. His experience in various aspects of software security has led him on a path through mobile, application and cloud security. In our conversation, Jason talks about the value OWASP provides to the community as well as what he perceives as a critical time for the integration between DevOps and security.
About Jason Schmitt
Jason Schmitt is vice president and general manager of HPE Security Products, Fortify for Hewlett Packard Enterprise. He is responsible for driving the growth of Fortify’s software security business and managing all operational functions within the group. Schmitt has extensive experience in product management, development and marketing for all types of web and security technologies. His expertise ranges from cloud-based secure web gateways, to application security and mobile security consulting services, to network-based video surveillance.Jason Schmitt's passion is to assure security is …Jason Schmitt's passion is to assure security is built into the development process, not just as a bolt-on add-on. His experience in various aspects of software security has led him on a path through mobile, application and cloud security. In our conversation, Jason talks about the value OWASP provides to the community as well as what he perceives as a critical time for the integration between DevOps and security.
About Jason Schmitt
Jason Schmitt is vice president and general manager of HPE Security Products, Fortify for Hewlett Packard Enterprise. He is responsible for driving the growth of Fortify’s software security business and managing all operational functions within the group. Schmitt has extensive experience in product management, development and marketing for all types of web and security technologies. His expertise ranges from cloud-based secure web gateways, to application security and mobile security consulting services, to network-based video surveillance.tag:soundcloud,2010:tracks/2723080242016 AppSecEU - Update On The ASVS Project with Andrew van der StockTue, 05 Jul 2016 17:26:45 +0000https://soundcloud.com/owasp-podcast/2016-appseceu-update-on-the-asvs-project-with-andrew-van-der-stock
00:14:18OWASP 24/7noThe Application Security Verification Standard Project is a Flagship project at OWASP. It provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development. I sat down with Andrew van der Stock at AppSecEU 2016 to get the most recent updates on the project and to gain an insight into future plans.The Application Security Verification Standard Pr…The Application Security Verification Standard Project is a Flagship project at OWASP. It provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development. I sat down with Andrew van der Stock at AppSecEU 2016 to get the most recent updates on the project and to gain an insight into future plans.tag:soundcloud,2010:tracks/2716599672016 AppSecEU - The University ChallengeFri, 01 Jul 2016 02:38:32 +0000https://soundcloud.com/owasp-podcast/2016-appseceu-the-university-challenge
00:11:40OWASP 24/7noAt 2016 AppSecEU in Rome, five teams showed up for the University Challeng. I talked with the organizers of the challenge about the history of the project and two team leaders to see how the challenge was going and what value they were getting by participating in the contest. At 2016 AppSecEU in Rome, five teams showed up fo…At 2016 AppSecEU in Rome, five teams showed up for the University Challeng. I talked with the organizers of the challenge about the history of the project and two team leaders to see how the challenge was going and what value they were getting by participating in the contest. tag:soundcloud,2010:tracks/271325265Jim Manico's 100th Episode, featuring Mark Miller, Executive Producer of OWASP 24/7Wed, 29 Jun 2016 00:56:27 +0000https://soundcloud.com/owasp-podcast/jim-manico-interviews-mark-miller-executive-producer-of-owasp-247
00:38:43OWASP 24/7noIn this episode, Jim Manico turns the tables on me for for his 100th podcast. He digs into my past, asks about my motivations for participating in OWASP, inquires on what I hope to accomplish through the series and how DevOps and security can be part of a single conversation when it comes to the software supply chain.
Mark Miller is the Senior Storyteller and Developer Evangelist for Sonatype. He is the curator of TheNexus Community Project, while participating in DevOps and security conferences as a frequent panel host. He recently helped build the DevOps track for RSAC Conference 2016, InfoSec Europe 2016 and is working on the DevOps track for AppSecUSA 2016, this fall in Washington, DC.
Mark's most recent project is "An Innovator's Journey to DevOps", a series of interviews and profiles highlighting important people and DevOps projects that deserve more exposure. You can listen to that series at www.sonatype.com/devops-an-innova…journey-sonatypeIn this episode, Jim Manico turns the tables on m…In this episode, Jim Manico turns the tables on me for for his 100th podcast. He digs into my past, asks about my motivations for participating in OWASP, inquires on what I hope to accomplish through the series and how DevOps and security can be part of a single conversation when it comes to the software supply chain.
Mark Miller is the Senior Storyteller and Developer Evangelist for Sonatype. He is the curator of TheNexus Community Project, while participating in DevOps and security conferences as a frequent panel host. He recently helped build the DevOps track for RSAC Conference 2016, InfoSec Europe 2016 and is working on the DevOps track for AppSecUSA 2016, this fall in Washington, DC.
Mark's most recent project is "An Innovator's Journey to DevOps", a series of interviews and profiles highlighting important people and DevOps projects that deserve more exposure. You can listen to that series at www.sonatype.com/devops-an-innova…journey-sonatypetag:soundcloud,2010:tracks/265777689AppSec Europe 2016 - What To ExpectWed, 25 May 2016 01:06:18 +0000https://soundcloud.com/owasp-podcast/2016-appsec-europe-what-to-expect
00:11:04OWASP 24/7noWhat can you expect when you attend AppSec EU 2016 in Rome at the end of June? I talk with Bart de Win and Matteo Meucci, conference chair, to see who is coming, why you should and what to expect when AppSec EU goes to one of the world's greatest cities.
Registration is open: https://2016.appsec.eu/What can you expect when you attend AppSec EU 201…What can you expect when you attend AppSec EU 2016 in Rome at the end of June? I talk with Bart de Win and Matteo Meucci, conference chair, to see who is coming, why you should and what to expect when AppSec EU goes to one of the world's greatest cities.
Registration is open: https://2016.appsec.eu/tag:soundcloud,2010:tracks/259270855Communication Patterns in Open Source Component Supply ChainsFri, 15 Apr 2016 18:47:00 +0000https://soundcloud.com/owasp-podcast/communication-patterns-in-open-source-component-supply-chains
00:12:16OWASP 24/7noTo understand more about communication patterns in open source supply chains, Dr. Gail Murphy and Dr. Marc Palyart undertook a study of 1,227 public projects hosted on GitHub. I spoke with Dr. Murphy about the project and what it means for open source developers trying to generate visibility and community around their project.
About Dr. Gail Murphy
Dr. Murphy is a leading researcher on software evolution and tools. She brings to Tasktop extensive experience as a software developer and principal investigator of a large research group. In recognition of her research, Gail has been a keynote speaker at several software engineering conferences. She has received international awards, such as the AITO Dahl-Nygaard Junior Prize, a University of Washington College of Engineering Diamond Award, and an ACM Distinguished Scientist award.
Her national awards include the NSERC Steacie fellowship. Most notably, Gail was elected to be a fellow of the Royal Society of Canada. This fellowship is the highest academic accolade in the sciences, humanities and arts bestowed in Canada. At the University of British Columbia, Gail is a professor in the Department of Computer Science, where she works on human-oriented software development tools to make software developers more efficient and effective, and associate dean (Research & Graduate Studies) in the Faculty of Science.
About Dr. Marc Palyert
Marc Palyart is a researcher in Software Engineering from the Software Practices Lab at the University of British Columbia. He holds a PhD from the University of Toulouse and a BSc (Hons) from the Dundalk Institute of Technology. When not in the lab you can find him wandering around the coastal mountains of British Columbia.
To understand more about communication patterns i…To understand more about communication patterns in open source supply chains, Dr. Gail Murphy and Dr. Marc Palyart undertook a study of 1,227 public projects hosted on GitHub. I spoke with Dr. Murphy about the project and what it means for open source developers trying to generate visibility and community around their project.
About Dr. Gail Murphy
Dr. Murphy is a leading researcher on software evolution and tools. She brings to Tasktop extensive experience as a software developer and principal investigator of a large research group. In recognition of her research, Gail has been a keynote speaker at several software engineering conferences. She has received international awards, such as the AITO Dahl-Nygaard Junior Prize, a University of Washington College of Engineering Diamond Award, and an ACM Distinguished Scientist award.
Her national awards include the NSERC Steacie fellowship. Most notably, Gail was elected to be a fellow of the Royal Society of Canada. This fellowship is the highest academic accolade in the sciences, humanities and arts bestowed in Canada. At the University of British Columbia, Gail is a professor in the Department of Computer Science, where she works on human-oriented software development tools to make software developers more efficient and effective, and associate dean (Research & Graduate Studies) in the Faculty of Science.
About Dr. Marc Palyert
Marc Palyart is a researcher in Software Engineering from the Software Practices Lab at the University of British Columbia. He holds a PhD from the University of Toulouse and a BSc (Hons) from the Dundalk Institute of Technology. When not in the lab you can find him wandering around the coastal mountains of British Columbia.
tag:soundcloud,2010:tracks/253886205Active Deception as a Methodology for Cybersecurity w/ Lawrence Pingree from GartnerMon, 21 Mar 2016 19:14:21 +0000https://soundcloud.com/owasp-podcast/active-deception-as-a-methodology-for-cybersecurity-w-lawrence-pingree
00:18:35OWASP 24/7noLawrence Pingree and I were having a discussion in the press room at RSA Conference 2016. We talked about his work with Gartner, analyzing deception as part of cybersecurity. His voice was so passionate, I just had to turn on the recorder. I haven't heard many people talking about this subject, but it's intriguing to think about... more than honeypots, true deception. Have a listen.
About Lawrence Pingree
Lawrence Pingree has been an active member of the Information Security industry for many years. He has consulted for large financial institutions, corporations and government entities on technologies ranging from firewalls, intrusion detection, networks, system penetration, risk management, compliance, eDiscovery and Forensics.
He has served as a Chief Security Architect at both Peoplesoft and Netscreen. He is currently an active member of the Information Systems Security Association (ISSA) of Silicon Valley as well as the Open Web Application Security Project (OWASP) and is a published author of two books.
Lawrence is a founding board member of the Digital Forensics Association where he is serving as Vice President. In his spare time enjoys trading money on the foreign currency market, hiking, nature and performance cars.Lawrence Pingree and I were having a discussion i…Lawrence Pingree and I were having a discussion in the press room at RSA Conference 2016. We talked about his work with Gartner, analyzing deception as part of cybersecurity. His voice was so passionate, I just had to turn on the recorder. I haven't heard many people talking about this subject, but it's intriguing to think about... more than honeypots, true deception. Have a listen.
About Lawrence Pingree
Lawrence Pingree has been an active member of the Information Security industry for many years. He has consulted for large financial institutions, corporations and government entities on technologies ranging from firewalls, intrusion detection, networks, system penetration, risk management, compliance, eDiscovery and Forensics.
He has served as a Chief Security Architect at both Peoplesoft and Netscreen. He is currently an active member of the Information Systems Security Association (ISSA) of Silicon Valley as well as the Open Web Application Security Project (OWASP) and is a published author of two books.
Lawrence is a founding board member of the Digital Forensics Association where he is serving as Vice President. In his spare time enjoys trading money on the foreign currency market, hiking, nature and performance cars.tag:soundcloud,2010:tracks/249908337DevOps, Security and Engineering at SlackWed, 02 Mar 2016 22:56:56 +0000https://soundcloud.com/owasp-podcast/devops-security-and-engineering-at-slack
00:09:17OWASP 24/7noLeigh Honeywell And Ari Rubenstein are Senior Staff Security Engineers at Slack. I saw Leigh on Wendy Nather's panel during RSA Conference 2016 and was interested in getting some insight into what's going on at Slack when it comes to DevOps. As luck would have it, Ari was in the audience, so we were able to step outside into the hallway and talk about how DevOps, security and engineering work together at Slack.
About Leigh Honeywell
Leigh reboots computers and makes hackerspaces.
Leigh is a Security Engineer at Slack. Prior to Slack, she worked at Salesforce.com, Microsoft, Symantec, and Bell Canada. Her career has included everything from stringing cable and building phone systems to responding to some of the most serious computer security incidents in industry history, shipping software to a billion people, and protecting infrastructure running companies’ critical business communications.
Her community work includes founding the HackLabTO hackerspace in Toronto, Canada, and the first feminist hackerspace, the Seattle Attic Community Workshop, as well as advising countless others and speaking about hackerspace cultures, collaboration, and open source software. She is Chief Security Officer of Double Union, a women’s hackerspace in San Francisco. She is a former administrator of the Geek Feminism wiki and blog, and current adviser to the Ada Initiative, the SECTor security conference, and the Magic Vibes Corporation. Leigh has a Bachelors of Science from the University of Toronto where she majored in Computer Science and Equity Studies.
About Ari Rubenstein
Senior Staff Security Engineer
- Developed tooling for Security Automation, Detection, and Response
- Implemented multiple open-source technologies to gain visibility on a company-wide level
- Led feature reviews and architecture critiques
- Discovered multiple vulnerabilities in Open Source Software, and committed fixes upstream
- Performed code audits and static analysis
- Collaborated cross-organization on Security topics with Sales, Accounts, Engineering, and Executive teams
- Managed public-facing bug bounty program for product security issues
- Provided guidance for customer questions and support tickets
Leigh Honeywell And Ari Rubenstein are Senior Sta…Leigh Honeywell And Ari Rubenstein are Senior Staff Security Engineers at Slack. I saw Leigh on Wendy Nather's panel during RSA Conference 2016 and was interested in getting some insight into what's going on at Slack when it comes to DevOps. As luck would have it, Ari was in the audience, so we were able to step outside into the hallway and talk about how DevOps, security and engineering work together at Slack.
About Leigh Honeywell
Leigh reboots computers and makes hackerspaces.
Leigh is a Security Engineer at Slack. Prior to Slack, she worked at Salesforce.com, Microsoft, Symantec, and Bell Canada. Her career has included everything from stringing cable and building phone systems to responding to some of the most serious computer security incidents in industry history, shipping software to a billion people, and protecting infrastructure running companies’ critical business communications.
Her community work includes founding the HackLabTO hackerspace in Toronto, Canada, and the first feminist hackerspace, the Seattle Attic Community Workshop, as well as advising countless others and speaking about hackerspace cultures, collaboration, and open source software. She is Chief Security Officer of Double Union, a women’s hackerspace in San Francisco. She is a former administrator of the Geek Feminism wiki and blog, and current adviser to the Ada Initiative, the SECTor security conference, and the Magic Vibes Corporation. Leigh has a Bachelors of Science from the University of Toronto where she majored in Computer Science and Equity Studies.
About Ari Rubenstein
Senior Staff Security Engineer
- Developed tooling for Security Automation, Detection, and Response
- Implemented multiple open-source technologies to gain visibility on a company-wide level
- Led feature reviews and architecture critiques
- Discovered multiple vulnerabilities in Open Source Software, and committed fixes upstream
- Performed code audits and static analysis
- Collaborated cross-organization on Security topics with Sales, Accounts, Engineering, and Executive teams
- Managed public-facing bug bounty program for product security issues
- Provided guidance for customer questions and support tickets
tag:soundcloud,2010:tracks/249414714Security War Games with Sam Guckenheimer at Rugged DevOps RSAC 2016Mon, 29 Feb 2016 03:18:57 +0000https://soundcloud.com/owasp-podcast/security-war-games-with-sam-guckenheimer-at-rugged-devops-rsac-2016
00:22:13OWASP 24/7noYou just have to accept it. The hackers are going to get in. The question is, what are you going to do once they are in? In preparation for Sam Guckenheimer's session at Rugged DevOps, RSA Conference 2016, I spoke with Sam about his work at Microsoft and how his team is working on Security War Games to keep things in check.
About Sam Guckenheimer
Sam Guckenheimer is Product Owner for the Microsoft Visual Studio Cloud Services, including VS Team Services and Team Foundation Server. He focuses on DevOps, Agile and Application LifeCycle Management (ALM). His most recent talk: From Box to Cloud at Gartner AADI 2015 is available at https://gartner.mediasite.com/Mediasite/Play/a246d6f2d86f47dab8fc4ee49887b5f81d.
Sam is the author of three books, most recently Visual Studio Team Foundation Server 2012: Adopting Agile Software Practices: From Backlog to Continuous Feedback. Prior to joining Microsoft in 2003, Sam was Director of Product Line Strategy at Rational Software Corporation, now the Rational Division of IBM.
Sam lives in the Seattle area with his wife and three children in a sustainable house they built that has been described in articles in Metropolitan Home and Pacific Northwest magazine. You just have to accept it. The hackers are going…You just have to accept it. The hackers are going to get in. The question is, what are you going to do once they are in? In preparation for Sam Guckenheimer's session at Rugged DevOps, RSA Conference 2016, I spoke with Sam about his work at Microsoft and how his team is working on Security War Games to keep things in check.
About Sam Guckenheimer
Sam Guckenheimer is Product Owner for the Microsoft Visual Studio Cloud Services, including VS Team Services and Team Foundation Server. He focuses on DevOps, Agile and Application LifeCycle Management (ALM). His most recent talk: From Box to Cloud at Gartner AADI 2015 is available at https://gartner.mediasite.com/Mediasite/Play/a246d6f2d86f47dab8fc4ee49887b5f81d.
Sam is the author of three books, most recently Visual Studio Team Foundation Server 2012: Adopting Agile Software Practices: From Backlog to Continuous Feedback. Prior to joining Microsoft in 2003, Sam was Director of Product Line Strategy at Rational Software Corporation, now the Rational Division of IBM.
Sam lives in the Seattle area with his wife and three children in a sustainable house they built that has been described in articles in Metropolitan Home and Pacific Northwest magazine. tag:soundcloud,2010:tracks/249034257Guns, Germs and Steel at RSAC 2016 with John WillisFri, 26 Feb 2016 17:07:19 +0000https://soundcloud.com/owasp-podcast/guns-germs-and-steel-at-rsac-2016-with-john-willis
00:14:12OWASP 24/7noAfter John Willis' keynote session next week at Rugged DevOps during RSA Conference 2016, he says he's going to grab a front row seat because he's so excited about the line up.
In this interview, I talk with John about his relationship with Josh Corman and how they started working together. We talk about security as part of the software supply chain, the part Docker plays in the reference architecture picture for enterprise DevOps and how the developer world has changed in the past 5 years.
About John Willis
John Willis has worked in the IT management industry for more than 35 years. Currently he is an Evangelist at Docker Inc. Prior to Docker Willis was the VP of Solutions for Socketplane (sold to Docker) and Enstratius (sold to Dell).
Prior to to Socketplane and Enstratius Willis was the VP of Training & Services at Opscode where he formalized the training, evangelism, and professional services functions at the firm. Willis also founded Gulf Breeze Software, an award winning IBM business partner, which specializes in deploying Tivoli technology for the enterprise.
John has authored six IBM Redbooks for IBM on enterprise systems management and was the founder and chief architect at Chain Bridge Systems.After John Willis' keynote session next week at R…After John Willis' keynote session next week at Rugged DevOps during RSA Conference 2016, he says he's going to grab a front row seat because he's so excited about the line up.
In this interview, I talk with John about his relationship with Josh Corman and how they started working together. We talk about security as part of the software supply chain, the part Docker plays in the reference architecture picture for enterprise DevOps and how the developer world has changed in the past 5 years.
About John Willis
John Willis has worked in the IT management industry for more than 35 years. Currently he is an Evangelist at Docker Inc. Prior to Docker Willis was the VP of Solutions for Socketplane (sold to Docker) and Enstratius (sold to Dell).
Prior to to Socketplane and Enstratius Willis was the VP of Training & Services at Opscode where he formalized the training, evangelism, and professional services functions at the firm. Willis also founded Gulf Breeze Software, an award winning IBM business partner, which specializes in deploying Tivoli technology for the enterprise.
John has authored six IBM Redbooks for IBM on enterprise systems management and was the founder and chief architect at Chain Bridge Systems.tag:soundcloud,2010:tracks/248904415Equal Respect: Women in Technology with Chenxi WangThu, 25 Feb 2016 21:17:20 +0000https://soundcloud.com/owasp-podcast/equal-respect-women-in-technology-with-chenxi-wang
00:13:37OWASP 24/7noChenxi Wang has had a diverse career in the technology industry, Before her current position as Chief Strategy Officer at Twistlock, she was Vice President, Cloud Security & Strategy at CipherCloud, Vice President, Strategy and Market Intelligence at Intel Security, and Vice President at Forrester Research. Along the way, she has worked on technology education initiatives and is currently at work on Equal Respect, a movement to stop the objectification of women in technology.
In this interview, I spoke with Chenxi about her upcoming sessions at RSA Conference 2016, her work on the Equal Respect initiative, and her passion for software security education.Chenxi Wang has had a diverse career in the techn…Chenxi Wang has had a diverse career in the technology industry, Before her current position as Chief Strategy Officer at Twistlock, she was Vice President, Cloud Security & Strategy at CipherCloud, Vice President, Strategy and Market Intelligence at Intel Security, and Vice President at Forrester Research. Along the way, she has worked on technology education initiatives and is currently at work on Equal Respect, a movement to stop the objectification of women in technology.
In this interview, I spoke with Chenxi about her upcoming sessions at RSA Conference 2016, her work on the Equal Respect initiative, and her passion for software security education.tag:soundcloud,2010:tracks/248745687DevOps: Politics, People and Process with Paula ThrasherWed, 24 Feb 2016 22:44:05 +0000https://soundcloud.com/owasp-podcast/devops-politics-people-and-process-with-paula-thrasher
00:14:40OWASP 24/7noI first met Paula Thrasher at DevOps Summit 2016 in San Francisco. Her message about people at the core of software supply chain processes resonated with me enough that I invited her to participate on a panel at RSA Conference 2016 in San Francisco on February 29.
In the run up to the conference, I recorded this call with Paula about what it takes to facilitate a large scale DevOps project for the US Government. Her main concentration is in change management and how to deal with the intricacy of various personalities when working with developers, the security team and operations.
About Paula Thrasher
Paula is an Application Delivery Lead at CSRA, formed from the merger of CSC's government services unit and SRA International. CSRA is a the leading provider in next-generation IT and professional services to the US Government. Paula leads digital transformations for customers across the federal government. She has 20 years experience in information technology and works in the federal market leading agencies and teams towards Agile and DevOps.
Paula’s first Agile project was in 2001, since then she has led over 15 programs and projects as an Agile developer, technical lead, Scrum master, or Agile coach. Her teams have helped three separate federal agencies migrate applications to Amazon AWS GovCloud, and done some other amazing DevOps ninja work along the way.
Paula a Carnegie Mellon University alumna with a B.S. in Statistics, is a Certified Scrum Master (CSM) and a Project Management Professional (PMP), but prefers learning new things through experience and working with smart people.
I first met Paula Thrasher at DevOps Summit 2016 …I first met Paula Thrasher at DevOps Summit 2016 in San Francisco. Her message about people at the core of software supply chain processes resonated with me enough that I invited her to participate on a panel at RSA Conference 2016 in San Francisco on February 29.
In the run up to the conference, I recorded this call with Paula about what it takes to facilitate a large scale DevOps project for the US Government. Her main concentration is in change management and how to deal with the intricacy of various personalities when working with developers, the security team and operations.
About Paula Thrasher
Paula is an Application Delivery Lead at CSRA, formed from the merger of CSC's government services unit and SRA International. CSRA is a the leading provider in next-generation IT and professional services to the US Government. Paula leads digital transformations for customers across the federal government. She has 20 years experience in information technology and works in the federal market leading agencies and teams towards Agile and DevOps.
Paula’s first Agile project was in 2001, since then she has led over 15 programs and projects as an Agile developer, technical lead, Scrum master, or Agile coach. Her teams have helped three separate federal agencies migrate applications to Amazon AWS GovCloud, and done some other amazing DevOps ninja work along the way.
Paula a Carnegie Mellon University alumna with a B.S. in Statistics, is a Certified Scrum Master (CSM) and a Project Management Professional (PMP), but prefers learning new things through experience and working with smart people.
tag:soundcloud,2010:tracks/246226013OWASP Top 10 Proactive Controls Project with Jim Manico and Katy AntonTue, 09 Feb 2016 17:31:15 +0000https://soundcloud.com/owasp-podcast/owasp-top-10-proactive-controls-project-with-jim-manico-and-kay-anton
00:21:56OWASP 24/7noThe OWASP Top 10 Proactive Controls Project uses the OWASP Top 10 model as a way to encourage the community to participate in the building and maintenance of a Top 10 project aimed at developers. In this interview, I talk with Jim Manico and Katy Anton on the history of the project, how they anticipate it being utilized, and how they have worked with the community do decide the criteria for building the list of controls.The OWASP Top 10 Proactive Controls Project uses …The OWASP Top 10 Proactive Controls Project uses the OWASP Top 10 model as a way to encourage the community to participate in the building and maintenance of a Top 10 project aimed at developers. In this interview, I talk with Jim Manico and Katy Anton on the history of the project, how they anticipate it being utilized, and how they have worked with the community do decide the criteria for building the list of controls.tag:soundcloud,2010:tracks/244827509The OWASP WebGoat Project, version 7.0, with Bruce MayhewMon, 01 Feb 2016 03:45:18 +0000https://soundcloud.com/owasp-podcast/owasp-24-7-web-goat-project-with-bruce-mayhew-final
00:17:00OWASP 24/7noThe WebGoat Project started 10 years ago and has had over 1,000,000 downloads. Version 7.0 is being released this week. I caught with Bruce Mayhew, project lead, to talk about the history of the project, what has been updated in version 7, and what he foresees as the future of this project.
https://www.owasp.org/index.php/Category:OWASP_WebGoat_ProjectThe WebGoat Project started 10 years ago and has …The WebGoat Project started 10 years ago and has had over 1,000,000 downloads. Version 7.0 is being released this week. I caught with Bruce Mayhew, project lead, to talk about the history of the project, what has been updated in version 7, and what he foresees as the future of this project.
https://www.owasp.org/index.php/Category:OWASP_WebGoat_Projecttag:soundcloud,2010:tracks/243983545Johanna Curiel on the Growing Pains of OWASP and Management of Project ReviewsWed, 27 Jan 2016 02:43:01 +0000https://soundcloud.com/owasp-podcast/johanna-curiel-on-the-growing-pains-of-owasp-and-management-of-project-reviews
00:26:46OWASP 24/7noSeveral months ago Johanna Curiel figured she'd had enough and was ready to take a break from OWASP. Recently, she came back and is working tirelessly to revamp the Project Review initiative. I talked with Johanna about why she left, what has changed to make it enticing enough for her to return and what her vision is for the Project Review team in the coming year.Several months ago Johanna Curiel figured she'd h…Several months ago Johanna Curiel figured she'd had enough and was ready to take a break from OWASP. Recently, she came back and is working tirelessly to revamp the Project Review initiative. I talked with Johanna about why she left, what has changed to make it enticing enough for her to return and what her vision is for the Project Review team in the coming year.tag:soundcloud,2010:tracks/2431064002016 - What's in Store for the OWASP 24/7 Podcast SeriesThu, 21 Jan 2016 19:31:57 +0000https://soundcloud.com/owasp-podcast/2016-whats-in-store-for-the-owasp-247-podcast-series
00:04:14OWASP 24/7noAs we move into 2016 and my second year as executive producer of OWASP 24/7, I want to give a quick overview of my objectives for the year and what you can expect from the series.As we move into 2016 and my second year as execut…As we move into 2016 and my second year as executive producer of OWASP 24/7, I want to give a quick overview of my objectives for the year and what you can expect from the series.tag:soundcloud,2010:tracks/234584116OWASP Shark Tank - Could You Convince Someone to Invest in Your Project?Wed, 25 Nov 2015 00:21:22 +0000https://soundcloud.com/owasp-podcast/owasp-shark-tank
00:24:13OWASP 24/7noFunding of projects. Allocation of personal time. What does it take to get a project funded with limited resources? The OWASP NYC/NJ chapters are trying something new at the December 7th meeting: two projects will make pitches to a crowd of 300, with two angel investors in attendance.
In this OWASP 24/7 broadcast, I talk with Tom Brennan, event organizer, and the two people who will be pitching their projects. Listen in to see if this is something you might want to do for your chapter or project.
Here's a review of the Shark Tank pitch that two people made on the actual Shark Tank show. Needless to say, it didn't go too well.
http://www.inc.com/brian-j-oconnor/shark-tank-recap-there-s-no-crying-on-shark-tank.html
Find out more about the December 7 event on the NYC/NJ Meetup Page
http://www.meetup.com/nycmetrocsc/
Credit: Music for today's broadcast was provided by the George Cole Quintet. Here more at http://georgecole.net/Funding of projects. Allocation of personal time.…Funding of projects. Allocation of personal time. What does it take to get a project funded with limited resources? The OWASP NYC/NJ chapters are trying something new at the December 7th meeting: two projects will make pitches to a crowd of 300, with two angel investors in attendance.
In this OWASP 24/7 broadcast, I talk with Tom Brennan, event organizer, and the two people who will be pitching their projects. Listen in to see if this is something you might want to do for your chapter or project.
Here's a review of the Shark Tank pitch that two people made on the actual Shark Tank show. Needless to say, it didn't go too well.
http://www.inc.com/brian-j-oconnor/shark-tank-recap-there-s-no-crying-on-shark-tank.html
Find out more about the December 7 event on the NYC/NJ Meetup Page
http://www.meetup.com/nycmetrocsc/
Credit: Music for today's broadcast was provided by the George Cole Quintet. Here more at http://georgecole.net/tag:soundcloud,2010:tracks/226445470OWASP Application Security Verification Standard Project w/ Andrew van der StockThu, 01 Oct 2015 15:49:44 +0000https://soundcloud.com/owasp-podcast/owasp-asvs-project-final
00:08:23OWASP 24/7noThe OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls. The primary aim of the OWASP ASVS Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard.
Project on OWASP
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
The OWASP Application Security Verification Stand…The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls. The primary aim of the OWASP ASVS Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard.
Project on OWASP
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
tag:soundcloud,2010:tracks/226281008OWASP Benchmark Project w/ Dave WichersWed, 30 Sep 2015 15:51:47 +0000https://soundcloud.com/owasp-podcast/owasp-benchmark-project-w-dave-wichers
00:14:49OWASP 24/7noThere's been a lot of discussion around the OWASP Benchmark Project since it's latest release. Jeff Williams wrote an article and then received a response from Chris Wysopal at Veracode. I was able to catch up with Dave Wichers, OWASP Project Lead, during AppSecUSA 2015 in San Francisco. I had Dave talk me through the project and what its intentions are.
Resources:
OWASP Benchmark Project
https://www.owasp.org/index.php/Benchmark
Why it's Insane to Trust Static Analysis
http://www.darkreading.com/vulnerabilities---threats/why-its-insane-to-trust-static-analysis/a/d-id/1322274?
No One Technology is a Silver Bullet
https://www.veracode.com/blog/2015/09/no-one-technology-silver-bullet
There's been a lot of discussion around the OWASP…There's been a lot of discussion around the OWASP Benchmark Project since it's latest release. Jeff Williams wrote an article and then received a response from Chris Wysopal at Veracode. I was able to catch up with Dave Wichers, OWASP Project Lead, during AppSecUSA 2015 in San Francisco. I had Dave talk me through the project and what its intentions are.
Resources:
OWASP Benchmark Project
https://www.owasp.org/index.php/Benchmark
Why it's Insane to Trust Static Analysis
http://www.darkreading.com/vulnerabilities---threats/why-its-insane-to-trust-static-analysis/a/d-id/1322274?
No One Technology is a Silver Bullet
https://www.veracode.com/blog/2015/09/no-one-technology-silver-bullet
tag:soundcloud,2010:tracks/226113574OWASP Security Shepherd Project w/ Mark Denihan and Paul McCannTue, 29 Sep 2015 15:15:11 +0000https://soundcloud.com/owasp-podcast/owasp-security-shepherd-project-w-mark-denihan-and-paul-mccann
00:13:23OWASP 24/7noThe Security Shepherd Project is a mobile web application training platform for penetration testing. It covers the OWASP Top 10 risks from both the mobile and web projects.
This recording was made at AppSecUSA 2015 during the Project Summit.The Security Shepherd Project is a mobile web app…The Security Shepherd Project is a mobile web application training platform for penetration testing. It covers the OWASP Top 10 risks from both the mobile and web projects.
This recording was made at AppSecUSA 2015 during the Project Summit.tag:soundcloud,2010:tracks/225959540DevOps, Security and Development w/ Matt Tesauro, Shannon Lietz and Jez HumbleMon, 28 Sep 2015 16:00:49 +0000https://soundcloud.com/owasp-podcast/security-in-development-w-matt-tesauro-shannon-lietz-and-jez-humble
00:42:47OWASP 24/7noWhen I was at AppSecUSA 2015 in San Francisco, I was standing in the hallway talking with Matt Tesauro, Shannon Lietz and Jez Humble. We decide that our discussion was interesting enough to continue, so we grab a room and just started talking.
Heads up: There are basic audio problems with the recording, such as some background hiss and some high frequency whining (not from us, from the lights overhead!). It was an interesting discussion about real world scenarios that the three have seen in different environments, with solutions for those issues. There's an important summary that starts at 34 minutes where each of them specifies the most important things they'd like you to take away from the discussion.When I was at AppSecUSA 2015 in San Francisco, I …When I was at AppSecUSA 2015 in San Francisco, I was standing in the hallway talking with Matt Tesauro, Shannon Lietz and Jez Humble. We decide that our discussion was interesting enough to continue, so we grab a room and just started talking.
Heads up: There are basic audio problems with the recording, such as some background hiss and some high frequency whining (not from us, from the lights overhead!). It was an interesting discussion about real world scenarios that the three have seen in different environments, with solutions for those issues. There's an important summary that starts at 34 minutes where each of them specifies the most important things they'd like you to take away from the discussion.tag:soundcloud,2010:tracks/222157202OWASP Board Candidate Interview - Abbas Naderi, Michael Coates, Jonathan CarterThu, 03 Sep 2015 10:57:27 +0000https://soundcloud.com/owasp-podcast/owasp-board-interview-abbas-naderi-michael-coates-jonathan-carter
00:48:57OWASP 24/7noPart of a three part series of interviews talking with OWASP board candidates for 2015. This segment includes candidates Abbas Naderi, Michael Coates and Jonathan Carter.
Part of a three part series of interviews talking…Part of a three part series of interviews talking with OWASP board candidates for 2015. This segment includes candidates Abbas Naderi, Michael Coates and Jonathan Carter.
tag:soundcloud,2010:tracks/222156488OWASP Board Candidate Interview - Bil Corry and Josh SokolThu, 03 Sep 2015 10:48:43 +0000https://soundcloud.com/owasp-podcast/owasp-board-interview-bil-corry-and-josh-sokol
00:39:49OWASP 24/7noPart of a three part series of interviews talking with OWASP board candidates for 2015. This segment includes candidates Bil Corry and Josh Sokol.Part of a three part series of interviews talking…Part of a three part series of interviews talking with OWASP board candidates for 2015. This segment includes candidates Bil Corry and Josh Sokol.tag:soundcloud,2010:tracks/222155566OWASP Board Candidate Interview - Milton Smith, Tobias Gondrom, Tom BrennanThu, 03 Sep 2015 10:36:20 +0000https://soundcloud.com/owasp-podcast/owasp-board-interview-milton-smith-tobias-gondrom-tom-brannen
00:43:05OWASP 24/7noPart of a three part series of interviews talking with OWASP board candidates for 2015. This segment includes candidates Milton Smith, Tobias Gondrom and Tom Brennan.Part of a three part series of interviews talking…Part of a three part series of interviews talking with OWASP board candidates for 2015. This segment includes candidates Milton Smith, Tobias Gondrom and Tom Brennan.tag:soundcloud,2010:tracks/216567897OWASP Security Knowledge Framework Project w/ Glenn Ten CateMon, 27 Jul 2015 15:40:24 +0000https://soundcloud.com/owasp-podcast/owasp-security-knowledge-framework-project-w-glenn-ten-cata
00:23:51OWASP 24/7noWith over 20,000 downloads within it's first two months of release, the Security Knowledge Framework Projects seems to have hit a resonant chord with the OWASP community. Glenn Ten Cate and his brother Riccardo created the project as a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security.
The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. I spoke with Glenn about the project and it's future growth.
You can learn more about the project on the OWASP project site: https://www.owasp.org/index.php/OWASP_Security_Knowledge_FrameworkWith over 20,000 downloads within it's first two …With over 20,000 downloads within it's first two months of release, the Security Knowledge Framework Projects seems to have hit a resonant chord with the OWASP community. Glenn Ten Cate and his brother Riccardo created the project as a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security.
The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Verification Standard and other resources. I spoke with Glenn about the project and it's future growth.
You can learn more about the project on the OWASP project site: https://www.owasp.org/index.php/OWASP_Security_Knowledge_Frameworktag:soundcloud,2010:tracks/214864005OWASP Summer of Code Sprint 2015 with Fabio CerulloWed, 15 Jul 2015 18:16:17 +0000https://soundcloud.com/owasp-podcast/owasp-summerofcodesprint2015-final
00:21:05OWASP 24/7noWith the OWASP Summer of Code Sprint 2015 in full swing, OWASP 24/7 caught up with project lead Fabio Cerrulo to see what the future of the project looks like and what to expect from the current sprint.With the OWASP Summer of Code Sprint 2015 in full…With the OWASP Summer of Code Sprint 2015 in full swing, OWASP 24/7 caught up with project lead Fabio Cerrulo to see what the future of the project looks like and what to expect from the current sprint.tag:soundcloud,2010:tracks/213001140OWASP Project Funding Part 2 w/ Johanna Curiel and Claudia CasanovasThu, 02 Jul 2015 20:47:00 +0000https://soundcloud.com/owasp-podcast/2015-owasp-project-funding-part-2-w-johanna-curiel-and-claudia-casanovas
00:50:53OWASP 24/7noIn part two of our open discussion on project funding for OWASP projects, I talk with Johanna Curiel, Project Review Team Leader, and Claudia Casanovas, the newly appointed Project Coordinator.
In this broadcast, we explore the roadblocks to getting OWASP project funding, discuss how to create a better process for requesting funds, and talk about historical examples of how the current process has, and has not, worked.In part two of our open discussion on project fun…In part two of our open discussion on project funding for OWASP projects, I talk with Johanna Curiel, Project Review Team Leader, and Claudia Casanovas, the newly appointed Project Coordinator.
In this broadcast, we explore the roadblocks to getting OWASP project funding, discuss how to create a better process for requesting funds, and talk about historical examples of how the current process has, and has not, worked.tag:soundcloud,2010:tracks/212521620OWASP Project Funding w/ Josh Sokol, Dinis Cruz and Andrew van der StockMon, 29 Jun 2015 18:28:31 +0000https://soundcloud.com/owasp-podcast/owasp-project-funding
00:47:53OWASP 24/7noHow do projects get funded at OWASP? Who should have access to those funds? What is the history of projects being funded at OWASP? In this wide ranging discussion we talk with Andrew van der Stock, Dinis Cruz and Josh Sokol about access to funds for project leads and the perceived difficulty of getting funding. How do projects get funded at OWASP? Who should h…How do projects get funded at OWASP? Who should have access to those funds? What is the history of projects being funded at OWASP? In this wide ranging discussion we talk with Andrew van der Stock, Dinis Cruz and Josh Sokol about access to funds for project leads and the perceived difficulty of getting funding. tag:soundcloud,2010:tracks/211944016The OWASP Online Academy with John Patrick Lita and Jerry HoffThu, 25 Jun 2015 15:51:31 +0000https://soundcloud.com/owasp-podcast/the-owasp-online-academy-with-john-patrick-lita-and-jerry-hoff
00:18:04OWASP 24/7noJohn Patrick Lita has been working on the OWASP Online Academy since February. He plans to release it to the community within the next month. In this conversation, we talk with John about his plans for the project. Joining us is Jerry Hoff, one of the first content contributors to the Online Academy.
https://www.owasp.org/index.php/OWASP_Online_Academy
John Patrick Lita has been working on the OWASP O…John Patrick Lita has been working on the OWASP Online Academy since February. He plans to release it to the community within the next month. In this conversation, we talk with John about his plans for the project. Joining us is Jerry Hoff, one of the first content contributors to the Online Academy.
https://www.owasp.org/index.php/OWASP_Online_Academy
tag:soundcloud,2010:tracks/211832560AppSec USA 2015 Overview with Ben Hagen and Michael CoatesWed, 24 Jun 2015 20:58:42 +0000https://soundcloud.com/owasp-podcast/appsec-usa-2015-overview-with-ben-hagen-and-michael-coates
00:18:44OWASP 24/7noThis year's AppSec USA Conference will be held in San Francisco, September 22 - 25. I spoke with Ben Hagen and Michael Coates, organizers of the event, to see how the planning is going and what will be special about this event.
https://2015.appsecusa.org/
This year's AppSec USA Conference will be held in…This year's AppSec USA Conference will be held in San Francisco, September 22 - 25. I spoke with Ben Hagen and Michael Coates, organizers of the event, to see how the planning is going and what will be special about this event.
https://2015.appsecusa.org/
tag:soundcloud,2010:tracks/207701617Paul Ritchie, Executive Director, Talks Present, Past and Future of OWASPThu, 28 May 2015 20:06:20 +0000https://soundcloud.com/owasp-podcast/paul-ritchie-executive-director-talks-present-past-and-future-of-owasp
00:22:00OWASP 24/7noPaul Richie has been executive director of OWASP since July of 2014. In our talk, I get Paul's perspective on the best ways for chapters to utilize OWASP resources and what he sees in the near future for OWASP.Paul Richie has been executive director of OWASP …Paul Richie has been executive director of OWASP since July of 2014. In our talk, I get Paul's perspective on the best ways for chapters to utilize OWASP resources and what he sees in the near future for OWASP.tag:soundcloud,2010:tracks/200954403OWASP Offensive Web Testing Framework with Bharadwaj Machiraju and Abraham ArangurenWed, 15 Apr 2015 17:14:02 +0000https://soundcloud.com/owasp-podcast/owasp-offensive-web-testing-framework
00:20:01OWASP 24/7noIn this segment, we talk with the co-coordinators of the OWASP OWTF Project. The aim of the project is to make security assessments as efficient as possible by automating the manual, uncreative part of pen testing.In this segment, we talk with the co-coordinators…In this segment, we talk with the co-coordinators of the OWASP OWTF Project. The aim of the project is to make security assessments as efficient as possible by automating the manual, uncreative part of pen testing.tag:soundcloud,2010:tracks/199094173Tobias Gondrom on the OWASP Strategic Goals for 2015Fri, 03 Apr 2015 17:39:07 +0000https://soundcloud.com/owasp-podcast/tobias-gondrom-on-the-owasp-strategic-goals-for-2015
00:23:16OWASP 24/7noIn this segment of OWASP 24/7, I speak with Tobias Gondrom on the strategic goals for OWASP in 2015.In this segment of OWASP 24/7, I speak with Tobia…In this segment of OWASP 24/7, I speak with Tobias Gondrom on the strategic goals for OWASP in 2015.tag:soundcloud,2010:tracks/1986059412015 AppSecEU Pre Conference UpdateTue, 31 Mar 2015 17:40:54 +0000https://soundcloud.com/owasp-podcast/2015-appseceu-preconferenceupdate
00:19:38OWASP 24/7noIn this broadcast, we talk with the organizing committee from AppSecEU 2015 to see what they've been working on and what you can expect when you go to the conference in Amsterdam this May.In this broadcast, we talk with the organizing co…In this broadcast, we talk with the organizing committee from AppSecEU 2015 to see what they've been working on and what you can expect when you go to the conference in Amsterdam this May.tag:soundcloud,2010:tracks/193028032OWASP Project Reviews with Johanna CurielWed, 25 Feb 2015 21:25:11 +0000https://soundcloud.com/owasp-podcast/owasp-project-reviews-with-johanna-curiel
00:20:51OWASP 24/7noJohanna Curiel is the wizard behind the curtain that manages the evaluation of OWASP projects. In this wide ranging discussion, I talk with Johanna about the criteria for project evaluation, how projects become "Flagship" status and what it takes to run a project of this size.
About Johanna Curiel
Johanna Curiel is a security engineer and developer of financial tools for Algorithmic Trading software. She workson multiple open source initiatives such as Owasp, Openbloomberg, Algorithmic Trading and bug hunting activities and hackatons.Johanna Curiel is the wizard behind the curtain …Johanna Curiel is the wizard behind the curtain that manages the evaluation of OWASP projects. In this wide ranging discussion, I talk with Johanna about the criteria for project evaluation, how projects become "Flagship" status and what it takes to run a project of this size.
About Johanna Curiel
Johanna Curiel is a security engineer and developer of financial tools for Algorithmic Trading software. She workson multiple open source initiatives such as Owasp, Openbloomberg, Algorithmic Trading and bug hunting activities and hackatons.tag:soundcloud,2010:tracks/1927968742015 OWASP Project Summit in NYC with Tom BrennanTue, 24 Feb 2015 16:11:49 +0000https://soundcloud.com/owasp-podcast/2015-owasp-project-summit-in-nyc-with-tom-brennan
00:10:33OWASP 24/7noI caught up with Tom Brennan, coordinator of the 2015 OWASP Project Summit in New York City to hear what he has in store for the 2 day event.
http://www.meetup.com/OWASP-NYC/
I caught up with Tom Brennan, coordinator of the …I caught up with Tom Brennan, coordinator of the 2015 OWASP Project Summit in New York City to hear what he has in store for the 2 day event.
http://www.meetup.com/OWASP-NYC/
tag:soundcloud,2010:tracks/192010906Seba Deleersnyder Discusses SAMM (Software Assurance Maturity Model) Summit in Dublin, IrelandThu, 19 Feb 2015 22:35:53 +0000https://soundcloud.com/owasp-podcast/seba-deleersnyder-discusses-samm-software-assurance-maturity-model-summit-in-dublin-ireland
00:17:52OWASP 24/7noThe first SAMM (Software Assurance Maturity Model) will be held in Dublin, Ireland on March 27 - 28, 2015. I spoke with Seba Deleersnyder, co-ordinator of the summit to find out his goals for the SAMM project as well as the his hopes for the summit.
About Seba Deleersnyder
As security project leader, application security specialist, trainer and trusted advisor for our customers, I have a track record of delivering information security projects. I specialise in Web & Mobile Application Security, combining both my broad software development and ICT security experience.
The first SAMM (Software Assurance Maturity Model…The first SAMM (Software Assurance Maturity Model) will be held in Dublin, Ireland on March 27 - 28, 2015. I spoke with Seba Deleersnyder, co-ordinator of the summit to find out his goals for the SAMM project as well as the his hopes for the summit.
About Seba Deleersnyder
As security project leader, application security specialist, trainer and trusted advisor for our customers, I have a track record of delivering information security projects. I specialise in Web & Mobile Application Security, combining both my broad software development and ICT security experience.
tag:soundcloud,2010:tracks/1916274142015 AppSec California Post Mortem with Richard Greenberg and Neil MatatallTue, 17 Feb 2015 18:39:42 +0000https://soundcloud.com/owasp-podcast/2015-appsec-california-post-mortem-with-richard-greenberg-and-neil-matatall
00:25:00OWASP 24/7noWhat does it take to put on a successful conference? How much work is involved? In this segment, I sit down with Neil Matatall and Richard Greenberg, co-organizers of AppSec California 2015. We talk about how they came up with the idea and what resources were needed to pull off such a successful event.
About Richard Greenberg
Richard Greenberg, CISSP, a recognized leader in Information Security, is President of the Los Angeles Chapter of OWASP. His day job is Information Security Officer for the Los Angeles County Department of Public Health.What does it take to put on a successful conferen…What does it take to put on a successful conference? How much work is involved? In this segment, I sit down with Neil Matatall and Richard Greenberg, co-organizers of AppSec California 2015. We talk about how they came up with the idea and what resources were needed to pull off such a successful event.
About Richard Greenberg
Richard Greenberg, CISSP, a recognized leader in Information Security, is President of the Los Angeles Chapter of OWASP. His day job is Information Security Officer for the Los Angeles County Department of Public Health.tag:soundcloud,2010:tracks/190959116John Melton and the OWASP AppSensor ProjectFri, 13 Feb 2015 17:10:28 +0000https://soundcloud.com/owasp-podcast/john-melton-and-the-owasp-appsensor-project
00:18:57OWASP 24/7noThe OWASP AppSensor Project has just released version 2.0. In this broadcast we speak with John Melton, project code lead, on the latest features in the release and what the future looks like for the project.
About John Melton
John is one of the co-leaders for the OWASP AppSensor project and leads the software implementation. For his day job, he is a principal security researcher for WhiteHat Security, working in the SAST space. His background is in software and security engineering.The OWASP AppSensor Project has just released ver…The OWASP AppSensor Project has just released version 2.0. In this broadcast we speak with John Melton, project code lead, on the latest features in the release and what the future looks like for the project.
About John Melton
John is one of the co-leaders for the OWASP AppSensor project and leads the software implementation. For his day job, he is a principal security researcher for WhiteHat Security, working in the SAST space. His background is in software and security engineering.tag:soundcloud,2010:tracks/184589673Moxie Marlinspike on Open Source Security for Mobile DevicesMon, 05 Jan 2015 14:51:07 +0000https://soundcloud.com/owasp-podcast/moxie-marlinspike-on-the-open-source-security-for-mobile-devices
00:43:34OWASP 24/7no Moxie Marlinspike is the founder of Open Whisper Systems which is both a large community of Open Source contributors, as well as a small team of dedicated developers. Together, the members of Open Whisper Systems is working to advance the state of the art for secure communication, while simultaneously making it easy for everyone to use.
Moxie works on secure protocols, Android clients, and server software. He has been contributing to Open Whisper Systems since it was Whisper Systems, formerly ran the product security team at Twitter, started the first cloud-based password cracking service. He has also published a number of attacks on secure protocols like SSL and MS-CHAPv2.
He has been a keynote speaker at past OWASP and other security conferences. Moxie Marlinspike is the founder of Open Whisper… Moxie Marlinspike is the founder of Open Whisper Systems which is both a large community of Open Source contributors, as well as a small team of dedicated developers. Together, the members of Open Whisper Systems is working to advance the state of the art for secure communication, while simultaneously making it easy for everyone to use.
Moxie works on secure protocols, Android clients, and server software. He has been contributing to Open Whisper Systems since it was Whisper Systems, formerly ran the product security team at Twitter, started the first cloud-based password cracking service. He has also published a number of attacks on secure protocols like SSL and MS-CHAPv2.
He has been a keynote speaker at past OWASP and other security conferences.tag:soundcloud,2010:tracks/181084004Dibbe Edwards - DevOps and Open Source at IBMThu, 11 Dec 2014 21:36:44 +0000https://soundcloud.com/owasp-podcast/dibbe-edwards-devops-and-open-source-at-ibm
00:30:05OWASP 24/7noAt the IBM DevOps Symposium I watched as Dibbe Edwards enthralled the audience as she explained how IBM has instituted DevOps and Agile throughout the development cycle. In some cases the results are nearly unbelievable, such as reducing Overall Time to Development from 120 days down to 3 days. I wanted to hear more about how she could create such startling results, so I gave her a call.
About Dibbe Edwards
Dibbe Edwards is Vice President, IBM Rational DevOps Capabilities Development responsible for the executive leadership of Rational’s development business covering key aspects of IBM’s DevOps strategy and offerings, including application lifecycle management and reporting, quality and requirements management, systems development and architecture management, SaaS-based offerings, and integration and open software development. Dibbe is additionally driving Rational’s own internal continuous software delivery activities as well as Rational’s on-going transparent development initiative through jazz.net. Dibbe is a frequent speaker at devops events, including recently at DevOps Enterprise .
She blogs at IBM developerWorks where she most recently authored a blog about A Day in the Life of an Enterprise DevOps Team.At the IBM DevOps Symposium I watched as Dibbe Ed…At the IBM DevOps Symposium I watched as Dibbe Edwards enthralled the audience as she explained how IBM has instituted DevOps and Agile throughout the development cycle. In some cases the results are nearly unbelievable, such as reducing Overall Time to Development from 120 days down to 3 days. I wanted to hear more about how she could create such startling results, so I gave her a call.
About Dibbe Edwards
Dibbe Edwards is Vice President, IBM Rational DevOps Capabilities Development responsible for the executive leadership of Rational’s development business covering key aspects of IBM’s DevOps strategy and offerings, including application lifecycle management and reporting, quality and requirements management, systems development and architecture management, SaaS-based offerings, and integration and open software development. Dibbe is additionally driving Rational’s own internal continuous software delivery activities as well as Rational’s on-going transparent development initiative through jazz.net. Dibbe is a frequent speaker at devops events, including recently at DevOps Enterprise .
She blogs at IBM developerWorks where she most recently authored a blog about A Day in the Life of an Enterprise DevOps Team.tag:soundcloud,2010:tracks/175492495The WebGoat Project with Rick Lawson and Jason WhiteWed, 05 Nov 2014 17:21:59 +0000https://soundcloud.com/owasp-podcast/the-webgoat-project-with
00:14:47OWASP 24/7noThe WebGoat Project has developed a free online tool used to test and uncover application flaws that might otherwise go unnoticed. In this episode of OWASP 24/7, we talk with two of the WebGoat team members, Rick Lawson and Jason White, about how WebGoat is being used and future plans.
More about WebGoat
WebGoat for J2EE is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecardThe WebGoat Project has developed a free online t…The WebGoat Project has developed a free online tool used to test and uncover application flaws that might otherwise go unnoticed. In this episode of OWASP 24/7, we talk with two of the WebGoat team members, Rick Lawson and Jason White, about how WebGoat is being used and future plans.
More about WebGoat
WebGoat for J2EE is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the user can go through the lessons and track their progress with the scorecardtag:soundcloud,2010:tracks/172588817Kevin E. Greene on OWASP and the SWAMP ProjectFri, 17 Oct 2014 16:29:49 +0000https://soundcloud.com/owasp-podcast/kevin-e-greene-on-owasp-and-the-swamp-project
00:26:58OWASP 24/7noDuring a meeting at AppSec USA 2014 in Denver, the SWAMP team presented its case for working with OWASP to support a marketplace for security tools. I sat down with Kevin E. Greene from DHS S&T, Cybersecurity Division to talk about what SWAMP is an how OWASP and its various projects might become involved.
About Kevin E. Greene
Software Assurance Program Manager responsible for oversight and management of research and development projects focused on improving the testing, analysis, and evaluation techniques used in software quality assurance tools. In addition, responsible for building a Software Assurance Marketplace (SWAMP) which will provide continuous software assurance services.
The SWAMP (www.cosalab.org) will serve as a national marketplace that will provide a collaborative research infrastructure to advance improvements in software development activities, as well as improvements in software quality assurance tools in the area of precision, soundness, and scalability.During a meeting at AppSec USA 2014 in Denver, th…During a meeting at AppSec USA 2014 in Denver, the SWAMP team presented its case for working with OWASP to support a marketplace for security tools. I sat down with Kevin E. Greene from DHS S&T, Cybersecurity Division to talk about what SWAMP is an how OWASP and its various projects might become involved.
About Kevin E. Greene
Software Assurance Program Manager responsible for oversight and management of research and development projects focused on improving the testing, analysis, and evaluation techniques used in software quality assurance tools. In addition, responsible for building a Software Assurance Marketplace (SWAMP) which will provide continuous software assurance services.
The SWAMP (www.cosalab.org) will serve as a national marketplace that will provide a collaborative research infrastructure to advance improvements in software development activities, as well as improvements in software quality assurance tools in the area of precision, soundness, and scalability.tag:soundcloud,2010:tracks/168491577AppSec USA 2014, Denver - Damon Edwards, Matt Tesauro, Eoin Keary, Martin KnoblochFri, 19 Sep 2014 20:47:54 +0000https://soundcloud.com/owasp-podcast/appsec-usa-2014-denver-damon-edwards-matt-tesauro-eoin-keary-martin-knobloch
00:13:01OWASP 24/7noI was able to get a quick update from Damon, Matt, Eoin and Martin this week at AppSec USA 2014 Denver. They each have a different perspective on what is going with OWASP in different parts of the world. Have a listen...I was able to get a quick update from Damon, Matt…I was able to get a quick update from Damon, Matt, Eoin and Martin this week at AppSec USA 2014 Denver. They each have a different perspective on what is going with OWASP in different parts of the world. Have a listen...tag:soundcloud,2010:tracks/168424349OWASP Board Candidate Interviews - Mateo MartinezFri, 19 Sep 2014 11:45:25 +0000https://soundcloud.com/owasp-podcast/owasp-board-candidate-interviews-mateo-martinez
00:17:10OWASP 24/7noWith the OWASP board elections of 2014 upon us, we are doing a series of interviews so that you can come "face-to-face" with prospective board members. In this session, we talk with Mateo Martinez.
(Please note: This interview was done over the net with a connection from New York City to Montevideo, Uruguay. In some places, there is considerable static.) With the OWASP board elections of 2014 upon us, w…With the OWASP board elections of 2014 upon us, we are doing a series of interviews so that you can come "face-to-face" with prospective board members. In this session, we talk with Mateo Martinez.
(Please note: This interview was done over the net with a connection from New York City to Montevideo, Uruguay. In some places, there is considerable static.) tag:soundcloud,2010:tracks/167978232OWASP Board Candidate Interviews - Jim Manico, Timur KhrotkoTue, 16 Sep 2014 12:48:17 +0000https://soundcloud.com/owasp-podcast/owasp-board-candidate-interviews-jim-manico-timur-khrotko
00:36:14OWASP 24/7noWith the OWASP board elections of 2014 upon us, we are doing a series of interviews so that you can come "face-to-face" with prospective board members. In this session, we talk with Jim Manico and Timur Khrotko.With the OWASP board elections of 2014 upon us, w…With the OWASP board elections of 2014 upon us, we are doing a series of interviews so that you can come "face-to-face" with prospective board members. In this session, we talk with Jim Manico and Timur Khrotko.tag:soundcloud,2010:tracks/167977270OWASP Board Candidate Interviews - Andrew van der Stock, Nigel Phair, Abbas NaderiTue, 16 Sep 2014 12:39:36 +0000https://soundcloud.com/owasp-podcast/owaspboardcandidateinterviews-session02
00:39:46OWASP 24/7noWith the OWASP board elections of 2014 upon us, we are doing a series of interviews so that you can come "face-to-face" with prospective board members. In this session, we talk with Andrew van der Stock, Nigel Phair and Abbas Naderi .With the OWASP board elections of 2014 upon us, w…With the OWASP board elections of 2014 upon us, we are doing a series of interviews so that you can come "face-to-face" with prospective board members. In this session, we talk with Andrew van der Stock, Nigel Phair and Abbas Naderi .tag:soundcloud,2010:tracks/167938931OWASP 2014 Board Candidate Interviews - Israel Bryski, Matt Konda, Bil Corry and Tahir KhanTue, 16 Sep 2014 04:08:55 +0000https://soundcloud.com/owasp-podcast/owasp-2014-boardcandidate-interviews-israel-bryski-matt-konda-bil-corry-and-tahir-khan
00:46:06OWASP 24/7noWith the OWASP board elections of 2014 upon us, we are doing a series of interviews so that you can come “face-to-face” with prospective board members. In this session, we talk with Israel Bryski, Matt Konda, Bil Corry and Tahir Khan.With the OWASP board elections of 2014 upon us, w…With the OWASP board elections of 2014 upon us, we are doing a series of interviews so that you can come “face-to-face” with prospective board members. In this session, we talk with Israel Bryski, Matt Konda, Bil Corry and Tahir Khan.tag:soundcloud,2010:tracks/163297911Jonathan Carter - OWASP and Mobile SecurityFri, 15 Aug 2014 18:08:57 +0000https://soundcloud.com/owasp-podcast/2014-08-jonathancarter
00:22:00OWASP 24/7noOn the day before Black Hat 2014 kicked off, I was able to sit with Jonathan Carter to talk about his work and the projects he participates on in OWASP. The audio recording is a bit raw because the sound was cranked up in a conference full of people. What Jonathan has to say should more than compensate.
About Jonathan Carter
Jonathan Carter is an application security professional with over 15 years of security expertise within Canada, United States, Australia, and England. As a Software Engineer, Jonathan produced software for online gaming systems, payment gateways, SMS messaging gateways, and other solutions requiring a high degree of application security.
Jonathan’s technical background in artificial intelligence and static code analysis has lead him to a diverse number of security roles: Enterprise Security Architect, Web Application Penetration Tester, Fortify Security Researcher, and Security Governance lead. He is currently Arxan’s Technical Director.
On the day before Black Hat 2014 kicked off, I w…On the day before Black Hat 2014 kicked off, I was able to sit with Jonathan Carter to talk about his work and the projects he participates on in OWASP. The audio recording is a bit raw because the sound was cranked up in a conference full of people. What Jonathan has to say should more than compensate.
<b>About Jonathan Carter</b>
Jonathan Carter is an application security professional with over 15 years of security expertise within Canada, United States, Australia, and England. As a Software Engineer, Jonathan produced software for online gaming systems, payment gateways, SMS messaging gateways, and other solutions requiring a high degree of application security.
Jonathan’s technical background in artificial intelligence and static code analysis has lead him to a diverse number of security roles: Enterprise Security Architect, Web Application Penetration Tester, Fortify Security Researcher, and Security Governance lead. He is currently Arxan’s Technical Director.
tag:soundcloud,2010:tracks/160871455Sarah Baso - The Final InterviewTue, 29 Jul 2014 23:15:50 +0000https://soundcloud.com/owasp-podcast/sarah-baso-the-final-interview
00:22:48OWASP 24/7noSarah Baso is leaving OWASP at the end of the month. As executive director, she has been at the helm of the organization, helping to set up and run OWASP as a business. In our conversation we talk about the ups and downs of her tenure, and how she would like to be remembered in the future.
About Sarah Baso
Sarah is based in San Francisco, Californa, USA and has been the Executive Director of the OWASP Foundation since April 2013. In this role, she supervises the paid OWASP staff in addition to administering all programs and operations of the OWASP Foundation, reporting to the OWASP Board of Directors.Sarah Baso is leaving OWASP at the end of the mon…Sarah Baso is leaving OWASP at the end of the month. As executive director, she has been at the helm of the organization, helping to set up and run OWASP as a business. In our conversation we talk about the ups and downs of her tenure, and how she would like to be remembered in the future.
<b>About Sarah Baso</b>
Sarah is based in San Francisco, Californa, USA and has been the Executive Director of the OWASP Foundation since April 2013. In this role, she supervises the paid OWASP staff in addition to administering all programs and operations of the OWASP Foundation, reporting to the OWASP Board of Directors.tag:soundcloud,2010:tracks/159266078Wait! Wait! Don't pwn me! from AppSec Europe 2014Fri, 18 Jul 2014 16:20:09 +0000https://soundcloud.com/owasp-podcast/wait-wait-dont-pwn-me-from-appsec-europe-2014
00:32:13OWASP 24/7noIt's become a regular thing at AppSec: test the experts on their knowledge of current software security news events. This session was recorded at AppSec Europe 2014 with panelists Chris Eng, Matt Tesauro and Josh Corman.
If you'd like to play along, you can view the gameshow slide deck. Looking forward to seeing you at our next AppSec session of "Wait Wait! Don't pwn me!" It's become a regular thing at AppSec: test the e…It's become a regular thing at AppSec: test the experts on their knowledge of current software security news events. This session was recorded at AppSec Europe 2014 with panelists Chris Eng, Matt Tesauro and Josh Corman.
If you'd like to play along, you can <a href="http://www.slideshare.net/SonatypeCorp/wait-wait-dont-pwn-me-appsec-europe-2014?qid=6fe1af56-08a2-41cc-a0b5-5870c744810f">view the gameshow slide deck</a>. Looking forward to seeing you at our next AppSec session of "Wait Wait! Don't pwn me!" tag:soundcloud,2010:tracks/158702783Eoin Keary on Women in Security and Growing an OWASP ChapterMon, 14 Jul 2014 20:50:39 +0000https://soundcloud.com/owasp-podcast/eoin-keary-owasp-global-board-member-on-women-in-security
00:06:52OWASP 24/7noEoin (pronounced Owen for you Yankees) Keary runs a software security practice in Ireland. In his "spare time", he is a global board member for OWASP. At the AppSec Europe 2014 Conference in Cambridge, UK, I spoke with Eoin about how to get more women into the software security industry, starting with their participation in OWASP.
About Eoin Keary
Eoin Keary has been with OWASP since 2004. He is based in Ireland and runs a software security practice, bccriskadvisory.com. He is currently on the global board of the OWASP foundation, he was elected to the board in 2009. During this time Eoin assisted in founding the OWASP legal entity in Europe and has helped provide structure to OWASPs finances and strategy.
Eoin previously lead the OWASP Testing Guide and currently the OWASP Code Review Guide and also contributed to other OWASP projects such as OWASP SAMM, OWASP CISO Guide & CISO Survey, OWASP Cheat sheets, and the OWASP ASVS & ZAP as a reviewer. Eoin also founded the OWASP Dublin chapter in 2006 and the OWASP Ireland event in 2008 which is in its 4th year and also hosted OWASP EU in 2011.Eoin (pronounced Owen for you Yankees) Keary runs…Eoin (pronounced Owen for you Yankees) Keary runs a software security practice in Ireland. In his "spare time", he is a global board member for OWASP. At the AppSec Europe 2014 Conference in Cambridge, UK, I spoke with Eoin about how to get more women into the software security industry, starting with their participation in OWASP.
<b>About Eoin Keary</b>
Eoin Keary has been with OWASP since 2004. He is based in Ireland and runs a software security practice, bccriskadvisory.com. He is currently on the global board of the OWASP foundation, he was elected to the board in 2009. During this time Eoin assisted in founding the OWASP legal entity in Europe and has helped provide structure to OWASPs finances and strategy.
Eoin previously lead the OWASP Testing Guide and currently the OWASP Code Review Guide and also contributed to other OWASP projects such as OWASP SAMM, OWASP CISO Guide & CISO Survey, OWASP Cheat sheets, and the OWASP ASVS & ZAP as a reviewer. Eoin also founded the OWASP Dublin chapter in 2006 and the OWASP Ireland event in 2008 which is in its 4th year and also hosted OWASP EU in 2011.tag:soundcloud,2010:tracks/156838915Achim Hoffmann and the o-Saft Project for Scanning SSL ConnectionsTue, 01 Jul 2014 14:50:21 +0000https://soundcloud.com/owasp-podcast/achim-hoffman
00:07:28OWASP 24/7noAchim Hoffman is a researcher who has created a tool for listing information about remote target's SSL certificate and testing the remote target against a given list of ciphers. This OWASP project, o-Saft, first gained notice when Jim Manico mentioned it on the OWASP email list. At AppSec Europe 2014, I was able to speak with Achim, along with Matt Tasauro, about the function of the tool and its uses. n
About the Project
o-Saft is designed to be used by penetration testers, security auditors or server administrators. The idea is to show the important informations or the special checks with a simple call of the tool. However, it provides a wide range of options so that it can be used for comprehensive and special checks by experienced people.
O-Saft is a command-line tool, so it can be used offline and in closed environments. However, it can simply be turned into an online CGI-tool (please read documentation first).
About Achim Hoffman
Co-Autor OWASP: Best Practices: Projektierung der Sicherheitsprüfung von Webanwendungen https://www.owasp.org/images/0/00/OWASP-Projektierung_der_Sicherheitspr%C3%BCfung_von_Webanwendungen_v101.de.pdf
Autor Sicherheit von Webanwendungen: BSI-Maßnahmenkatalog und Best Practices
http://www.bsi.de/literat/studien/websec/WebSec.pdf
Contributor to WASC Web Application Firewall Evaluation Criteria
http://www.webappsec.org/projects/wafec/
Co-Author OWASP: Best Practices: Web Application Firewalls
http://www.owasp.org/index.php/Best_Practices:_Web_Application_Firewalls
Reviewer/Contributor to WASC Threat Classification v1
Deutsche Übersetzung der WASC Threat Classification v1
http://www.webappsec.org/projects/threat/
Reviewer/Contributor to WASC Threat Classification v2
http://projects.webappsec.org/Threat-Classification-AuthorsAchim Hoffman is a researcher who has created a t…Achim Hoffman is a researcher who has created a tool for listing information about remote target's SSL certificate and testing the remote target against a given list of ciphers. <a href="https://www.owasp.org/index.php/O-Saft">This OWASP project, o-Saft</a>, first gained notice when Jim Manico mentioned it on the OWASP email list. At AppSec Europe 2014, I was able to speak with Achim, along with Matt Tasauro, about the function of the tool and its uses. n
<b>About the Project</b>
o-Saft is designed to be used by penetration testers, security auditors or server administrators. The idea is to show the important informations or the special checks with a simple call of the tool. However, it provides a wide range of options so that it can be used for comprehensive and special checks by experienced people.
O-Saft is a command-line tool, so it can be used offline and in closed environments. However, it can simply be turned into an online CGI-tool (please read documentation first).
<b>About Achim Hoffman</b>
Co-Autor OWASP: Best Practices: Projektierung der Sicherheitsprüfung von Webanwendungen https://www.owasp.org/images/0/00/OWASP-Projektierung_der_Sicherheitspr%C3%BCfung_von_Webanwendungen_v101.de.pdf
Autor Sicherheit von Webanwendungen: BSI-Maßnahmenkatalog und Best Practices
http://www.bsi.de/literat/studien/websec/WebSec.pdf
Contributor to WASC Web Application Firewall Evaluation Criteria
http://www.webappsec.org/projects/wafec/
Co-Author OWASP: Best Practices: Web Application Firewalls
http://www.owasp.org/index.php/Best_Practices:_Web_Application_Firewalls
Reviewer/Contributor to WASC Threat Classification v1
Deutsche Übersetzung der WASC Threat Classification v1
http://www.webappsec.org/projects/threat/
Reviewer/Contributor to WASC Threat Classification v2
http://projects.webappsec.org/Threat-Classification-Authorstag:soundcloud,2010:tracks/147078959OWASP Top 10 Privacy Risks Project with Florian Stahl and Stefan BurgmairTue, 29 Apr 2014 17:08:24 +0000https://soundcloud.com/owasp-podcast/owasp-top-10-privacy-risks-project-with-florian-stahl-and-stefan-burgmair
00:16:42OWASP 24/7noThe OWASP Top 10 Privacy Risks Project aims to develop a top 10 list for privacy risks in web applications because currently there is no such catalog available. I spoke with co-leads Florian Stahl and Stefan Burgmair about how the project was started, the selection process for the top 10 risks and their future plans.
About Florian Stahl
Florian Stahl is a German security and privacy consultant and evangelist. He achieved his master’s with honors in information systems science at the University of Regensburg in Germany and his master's in computer science at Växjö Universitet in Sweden.
Florian started his professional career at the Swedish security software vendor Cryptzone in Gothenburg in 2006. He came back to Germany in 2009 and worked as consultant for Ernst & Young in Munich before moving on to msg systems where he currently holds the position as Lead Consultant. Florian has CISSP and CIPP/IT certifications and speaks fluent German, English and Swedish. His aim is to follow a holistic approach by combining technical, organisational and social measures to protect information.
He is regular speaker at conferences and writes articles for magazines and on his blog securitybydesign.de. He leads the OWASP_Top_10_Privacy_Risks_Project.
About Stefan Burgmair
Stefan Burgmair is a German student at the Munich University of Applied Sciences. After he gained his B. Sc. title in Information Systems and Management he now writes his master thesis on the "Top 10 Privacy Risks for Web Applications" at the msg systems. Together with his advisor Florian Stahl, he is managing the OWASP Top 10 Privacy Risks Project.The OWASP Top 10 Privacy Risks Project aims to de…The <a href="https://www.owasp.org/index.php/OWASP_Top_10_Privacy_Risks_Project">OWASP Top 10 Privacy Risks Project</a> aims to develop a top 10 list for privacy risks in web applications because currently there is no such catalog available. I spoke with co-leads Florian Stahl and Stefan Burgmair about how the project was started, the selection process for the top 10 risks and their future plans.
<b>About Florian Stahl</b>
Florian Stahl is a German security and privacy consultant and evangelist. He achieved his master’s with honors in information systems science at the University of Regensburg in Germany and his master's in computer science at Växjö Universitet in Sweden.
Florian started his professional career at the Swedish security software vendor Cryptzone in Gothenburg in 2006. He came back to Germany in 2009 and worked as consultant for Ernst & Young in Munich before moving on to msg systems where he currently holds the position as Lead Consultant. Florian has CISSP and CIPP/IT certifications and speaks fluent German, English and Swedish. His aim is to follow a holistic approach by combining technical, organisational and social measures to protect information.
He is regular speaker at conferences and writes articles for magazines and on his blog securitybydesign.de. He leads the OWASP_Top_10_Privacy_Risks_Project.
<b>About Stefan Burgmair</b>
Stefan Burgmair is a German student at the Munich University of Applied Sciences. After he gained his B. Sc. title in Information Systems and Management he now writes his master thesis on the "Top 10 Privacy Risks for Web Applications" at the msg systems. Together with his advisor Florian Stahl, he is managing the OWASP Top 10 Privacy Risks Project.tag:soundcloud,2010:tracks/146439762The Run Up to a Massive Cyber Security Month with Tom BrennanFri, 25 Apr 2014 16:34:17 +0000https://soundcloud.com/owasp-podcast/the-run-up-to-a-massive-cyber-security-month-with-tom-brennan
00:20:01OWASP 24/7noIn anticipation of Security Awareness Month in October, Tom Brennan is planning an event featuring a cross section of various cyber groups in New York and New Jersey. A few weeks ago, I attended a Meet Up in New York City where many of the local groups got together to talk about what they are working on and how that plays into the October event. The Meet Up was VERY loud, so the sound quality leaves a bit to be desired, but the passion and enthusiasm still comes through.
The first segment of the show is an introduction with Tom Brennan as he talks about the cross-group event he put together in March and his plans for creating a large, cross-cyber group event for Security Awareness Month in October. I then spoke with Ian Amit, one of the OWASP chapter leaders for New York. He describes what he is working on for the OWASP chapter in New York. Izabela Pelszynska joins us to speak about the Women in Security group, and we end with a round table discussion of the upcoming event in October.
In anticipation of Security Awareness Month in Oc…In anticipation of Security Awareness Month in October, Tom Brennan is planning an event featuring a cross section of various cyber groups in New York and New Jersey. A few weeks ago, I attended a Meet Up in New York City where many of the local groups got together to talk about what they are working on and how that plays into the October event. The Meet Up was VERY loud, so the sound quality leaves a bit to be desired, but the passion and enthusiasm still comes through.
The first segment of the show is an introduction with Tom Brennan as he talks about the cross-group event he put together in March and his plans for creating a large, cross-cyber group event for Security Awareness Month in October. I then spoke with Ian Amit, one of the OWASP chapter leaders for New York. He describes what he is working on for the OWASP chapter in New York. Izabela Pelszynska joins us to speak about the Women in Security group, and we end with a round table discussion of the upcoming event in October.
tag:soundcloud,2010:tracks/145156841Wolfgang Goerlich on a Real World Example of The Phoenix Project in ActionThu, 17 Apr 2014 15:03:23 +0000https://soundcloud.com/owasp-podcast/wolfgang-goerlich-on-a-real-world-example-of-the-phoenix-project-in-action
00:25:10OWASP 24/7noAt 2014 SOURCE Boston, Josh Corman told me that Wolfgang Goerlich had an interesting DevOps story to tell. I sat down and spoke with Wolfgang and was astounded to hear a tale that could have come straight out of Gene Kim's book, The Phoenix Project. Listen in as Wolfgang describes the process of taking over a project that was mired in technical debt, falling behind in deliverables to stakeholders and in need of a new way of thinking. To me, this story is one of the strongest statements for DevOps that I've heard.
About Wolfgang Goerlich
As Vice President of Consulting Services at VioPoint, Wolfgang supports clients by advising, identifying, and assisting in managing information security risk as well as mentoring VioPoint’s consulting team. Wolfgang, known for his outstanding leadership in the technology and information security community, is the co-founder of OWASP Detroit and an organizer of the annual BSides Detroit conferences as well as an accomplished speaker at regional and national security events.
At 2014 SOURCE Boston, Josh Corman told me that W…At 2014 SOURCE Boston, Josh Corman told me that Wolfgang Goerlich had an interesting DevOps story to tell. I sat down and spoke with Wolfgang and was astounded to hear a tale that could have come straight out of Gene Kim's book, The Phoenix Project. Listen in as Wolfgang describes the process of taking over a project that was mired in technical debt, falling behind in deliverables to stakeholders and in need of a new way of thinking. To me, this story is one of the strongest statements for DevOps that I've heard.
<b>About Wolfgang Goerlich</b>
As Vice President of Consulting Services at VioPoint, Wolfgang supports clients by advising, identifying, and assisting in managing information security risk as well as mentoring VioPoint’s consulting team. Wolfgang, known for his outstanding leadership in the technology and information security community, is the co-founder of OWASP Detroit and an organizer of the annual BSides Detroit conferences as well as an accomplished speaker at regional and national security events.
tag:soundcloud,2010:tracks/143738856Dwayne Melancon - What InfoSec Can Learn from Video GamesTue, 08 Apr 2014 18:46:34 +0000https://soundcloud.com/owasp-podcast/dwayne-melancon-on-what
00:04:39OWASP 24/7noDwayne Melancon, CTO of Tripwire, has an interesting idea: turn your team into gamers, let them build their internal images and support that vision. This isn't the type of thing you'd expect to hear at a security conference. In this short conversation, I talk with Dwayne about how to implement employee game theory within your project team.
About Dwayne Melancon
I was a contributor to both the Visible Ops Handbook and Visible Ops Security Handbook, working with authors Gene Kim, Kevin Behr, and George Spafford. As part of this effort, I have worked as a researcher with Carnegie Mellon’s SEI, the University of Florida, and the IT Process Institute in their studies and benchmarking of IT best practices. I work with numerous corporations around the world on IT service management improvement and IT security, and have teamed with the Institute of Internal Auditors in its pursuit of Generally Accepted IT Principles.
As a frequent, highly-rated speaker at national and regional itSMF, ISACA, ISSA, IIA and other industry events, I present on how to achieve world-class IT results. Using a framework of essential IT controls, I provide operations, security, and audit audiences with prescriptive steps they can take to improve IT change policies, procedures and systems.Dwayne Melancon, CTO of Tripwire, has an interest…Dwayne Melancon, CTO of Tripwire, has an interesting idea: turn your team into gamers, let them build their internal images and support that vision. This isn't the type of thing you'd expect to hear at a security conference. In this short conversation, I talk with Dwayne about how to implement employee game theory within your project team.
<b>About Dwayne Melancon</b>
I was a contributor to both the Visible Ops Handbook and Visible Ops Security Handbook, working with authors Gene Kim, Kevin Behr, and George Spafford. As part of this effort, I have worked as a researcher with Carnegie Mellon’s SEI, the University of Florida, and the IT Process Institute in their studies and benchmarking of IT best practices. I work with numerous corporations around the world on IT service management improvement and IT security, and have teamed with the Institute of Internal Auditors in its pursuit of Generally Accepted IT Principles.
As a frequent, highly-rated speaker at national and regional itSMF, ISACA, ISSA, IIA and other industry events, I present on how to achieve world-class IT results. Using a framework of essential IT controls, I provide operations, security, and audit audiences with prescriptive steps they can take to improve IT change policies, procedures and systems.tag:soundcloud,2010:tracks/143714320Melissa Elliot on the HeartBleed Bug at YahooTue, 08 Apr 2014 16:08:03 +0000https://soundcloud.com/owasp-podcast/melissa-elliot-on-the
00:03:49OWASP 24/7noThe HeartBleed bug is running rampant on many major sites such as Chase and Yahoo while people are scrambling madly to find solutions. At the SOURCE Boston Conference this morning, I caught up with Melissa Elliot from VeraCode as she was examining the impact of the HeartBleed on Yahoo, using software from Jared Staffer of JSPenguin.org. I asked her to describe what she was seeing. Have a listen...
About Melissa Elliot
I am 0xabad1dea (the zero-x is silent), a professional application security researcher also known as Melissa Elliott. If my name breaks your website we have a personal problem. My long-term goal is to convince programmers that the security of everything from the global economy all the way up to online Pokémon battles is in their hands and they need to take that responsibility seriously. My primary means of interacting with the community is through my extremely active Twitter account.The HeartBleed bug is running rampant on many maj…The HeartBleed bug is running rampant on many major sites such as Chase and Yahoo while people are scrambling madly to find solutions. At the SOURCE Boston Conference this morning, I caught up with Melissa Elliot from VeraCode as she was examining the impact of the HeartBleed on Yahoo, using software from Jared Staffer of JSPenguin.org. I asked her to describe what she was seeing. Have a listen...
About Melissa Elliot
I am 0xabad1dea (the zero-x is silent), a professional application security researcher also known as Melissa Elliott. If my name breaks your website we have a personal problem. My long-term goal is to convince programmers that the security of everything from the global economy all the way up to online Pokémon battles is in their hands and they need to take that responsibility seriously. My primary means of interacting with the community is through my extremely active Twitter account.tag:soundcloud,2010:tracks/1424999132014 AppSec APAC - Post Mortem (English)Tue, 01 Apr 2014 11:02:02 +0000https://soundcloud.com/owasp-podcast/2014-appsec-apac-post-mortem
00:18:53OWASP 24/7noIn March 2014, Rio Okada and his team in Japan organized the first AppSec APAC event in Japan. I called Rio to ask how the event went. Joining the conversation with me and Rio is Robert Dracea, Tobias Gondrom and Jerry Hoff. During our call we talked about what made the event so successful and how that success might be used in future AppSec events. Have a listen.In March 2014, Rio Okada and his team in Japan or…In March 2014, <a href="https://www.owasp.org/index.php/User:Riotaro_OKADA">Rio Okada</a> and his team in Japan organized the first AppSec APAC event in Japan. I called Rio to ask how the event went. Joining the conversation with me and Rio is <a href="https://owasp.org/index.php/User:Robert_Dracea">Robert Dracea</a>, <a href="https://www.owasp.org/index.php/User:Tgondrom">Tobias Gondrom</a> and <a href="https://www.owasp.org/index.php/User:Jerryhoff">Jerry Hoff</a>. During our call we talked about what made the event so successful and how that success might be used in future AppSec events. Have a listen.tag:soundcloud,2010:tracks/141696782The OWASP Hacky Easter Challenge with Ivan BütlerThu, 27 Mar 2014 15:10:55 +0000https://soundcloud.com/owasp-podcast/the-owasp-hacky-easter
00:06:24OWASP 24/7noIvan Bütler and his team at the Hacking Lab have whipped up a fun challenge for the Easter season. The Hacky Easter Challenge is a white-hat hacking competition for fun and education. Sign up and start your quest for easter eggs! No need to be a "1337 h4xor" - there are challenges of different difficulty.
About Ivan Bütler
Ivan Bütler is the co-founder and CEO of Compass Security, a Swiss Ethical Hacking and Penetration Testing company located in Switzerland and Germany. Besides his own business he is also a tutor at both, the University of Applied Sciences in Rapperswil and Lucerne University of Applied Sciences and Arts. Ivan is a regular speaker at international conferences (Blackhat USA, IT Underground Warsaw, OWASP AppSec).
Ivan is in the board of the Swiss Cyber Storm 4 Conference Committee and as such, responsible for the CTF and Hacking platform for the European Cyber Security Challenge 2014/2015, a cyber talent competition between Austria, Switzerland and Germany and may others from the European Union.
He is the founder of Hacking-Lab – a remote security lab that is being used world-wide by security enthusiasts and security professionals to train their hands-on experience. Hacking-Lab is partnering with OWASP and provides free OWASP TOP 10, OWPASP Hackademics and OWASP WebGoat challenges.Ivan Bütler and his team at the Hacking Lab have …Ivan Bütler and his team at the Hacking Lab have whipped up a fun challenge for the Easter season. <a href="http://hackyeaster.hacking-lab.com/hackyeaster/index.html">The Hacky Easter Challenge</a> is a white-hat hacking competition for fun and education. Sign up and start your quest for easter eggs! No need to be a "1337 h4xor" - there are challenges of different difficulty.
<b>About Ivan Bütler</b>
Ivan Bütler is the co-founder and CEO of Compass Security, a Swiss Ethical Hacking and Penetration Testing company located in Switzerland and Germany. Besides his own business he is also a tutor at both, the University of Applied Sciences in Rapperswil and Lucerne University of Applied Sciences and Arts. Ivan is a regular speaker at international conferences (Blackhat USA, IT Underground Warsaw, OWASP AppSec).
Ivan is in the board of the Swiss Cyber Storm 4 Conference Committee and as such, responsible for the CTF and Hacking platform for the European Cyber Security Challenge 2014/2015, a cyber talent competition between Austria, Switzerland and Germany and may others from the European Union.
He is the founder of Hacking-Lab – a remote security lab that is being used world-wide by security enthusiasts and security professionals to train their hands-on experience. Hacking-Lab is partnering with OWASP and provides free OWASP TOP 10, OWPASP Hackademics and OWASP WebGoat challenges.tag:soundcloud,2010:tracks/141172508The OWASP Top Ten Proactive Controls Project with Jim BirdMon, 24 Mar 2014 14:36:36 +0000https://soundcloud.com/owasp-podcast/the-owasp-top-ten-proactive
00:14:20OWASP 24/7noThe OWASP Top Ten Proactive Controls Project is spearheaded by Jim Bird and Jim Manico. According to Jim Bird, it is a list of security techniques that should be included in every software development project. I spoke with him about the evolution of the project and how he envisions it being used by the OWASP community, and specifically by developers.
Resources for this Broadcast
OWASP Top Ten Proactive Controls Project
Jim Bird on LinkedIn
About Jim Bird
Jim Bird is a software development manager and CTO with more than 25 years of experience in software engineering, with a special focus on high-integrity and high-reliability systems. Jim is currently the co-founder and CTO of a major US-based institutional trading service, where he is responsible for managing the company’s technology group and IT security programs. Jim has worked as a consultant to IBM and to major stock exchanges and banks globally. He was also the CTO of a technology firm (now part of NASDAQ OMX) that built custom IT solutions for stock exchanges and central banks in more than 30 countries. Jim is an active contributor to OWASP, helps out as a member of the SANS Analysts program on application security, and rants about Agile software development, project management and application security topics on his blog “Building Real Software.The OWASP Top Ten Proactive Controls Project is s…The OWASP Top Ten Proactive Controls Project is spearheaded by Jim Bird and Jim Manico. According to Jim Bird, it is a list of security techniques that should be included in every software development project. I spoke with him about the evolution of the project and how he envisions it being used by the OWASP community, and specifically by developers.
<b>Resources for this Broadcast</b>
<a href="https://www.owasp.org/index.php/OWASP_Proactive_Controls">OWASP Top Ten Proactive Controls Project </a>
<a href="ca.linkedin.com/pub/jim-bird/3/4b2/646">Jim Bird on LinkedIn</a>
<b>About Jim Bird</b>
Jim Bird is a software development manager and CTO with more than 25 years of experience in software engineering, with a special focus on high-integrity and high-reliability systems. Jim is currently the co-founder and CTO of a major US-based institutional trading service, where he is responsible for managing the company’s technology group and IT security programs. Jim has worked as a consultant to IBM and to major stock exchanges and banks globally. He was also the CTO of a technology firm (now part of NASDAQ OMX) that built custom IT solutions for stock exchanges and central banks in more than 30 countries. Jim is an active contributor to OWASP, helps out as a member of the SANS Analysts program on application security, and rants about Agile software development, project management and application security topics on his blog “Building Real Software.tag:soundcloud,2010:tracks/140698004The OWASP Cornucopia Project with Colin WatsonFri, 21 Mar 2014 14:38:12 +0000https://soundcloud.com/owasp-podcast/the-owasp-cornucopia-project
00:15:34OWASP 24/7noFor his most recent project at OWASP, Colin Watson has taken the concept of Microsoft's 'Elevation of Privilege' card game and transformed it as a process for identifying security requirements for web applications. In this segment of OWASP 24/7, I speak with Colin about the origin of the project, a typical use case for the game and what the next version of the deck will look like.
Resources for this broadcast
OWASP Cornucopia Project Pagel
Microsoft Elevation of Privilege Card Game
About Colin Watson
Colin Watson is an application security consultant based in London. He is project leader for the OWASP Codes of Conduct and OWASP Cornucopia projects, wrote the Application Logging Cheat sheet, contributes to a number of other OWASP projects including AppSensor and Open SAMM, and was a member of the former OWASP Global Industry Committee.For his most recent project at OWASP, Colin Watso…For his most recent project at OWASP, Colin Watson has taken the concept of Microsoft's 'Elevation of Privilege' card game and transformed it as a process for identifying security requirements for web applications. In this segment of OWASP 24/7, I speak with Colin about the origin of the project, a typical use case for the game and what the next version of the deck will look like.
<b>Resources for this broadcast</b>
<a href="https://www.owasp.org/index.php/OWASP_Cornucopia">OWASP Cornucopia Project Pagel</a>
<a href="http://www.microsoft.com/security/sdl/adopt/eop.aspx">Microsoft Elevation of Privilege Card Game</a>
<b>About Colin Watson</b>
Colin Watson is an application security consultant based in London. He is project leader for the OWASP Codes of Conduct and OWASP Cornucopia projects, wrote the Application Logging Cheat sheet, contributes to a number of other OWASP projects including AppSensor and Open SAMM, and was a member of the former OWASP Global Industry Committee.tag:soundcloud,2010:tracks/137745520The OWASP WebSpa Project with Yiannis Pavlosoglou and Jim ManicoMon, 03 Mar 2014 20:15:17 +0000https://soundcloud.com/owasp-podcast/the-owasp-webspa-project-with
00:32:55OWASP 24/7noThe OWASP WebSpa Project
The OWASP WebSpa project is a tool implementing the novel idea of web
knocking. The term web knocking stems from port knocking, If port
knocking is defined as "a form of host-to-host communication in which
information flows across closed ports" then we define web knocking as
a form of host-to-host communication in which information flows across
erroneous URLs.
In this podcast we present this web knocking tool for
sending a single HTTP/S request to your web server, in order to
authorise the execution of a preselected Operating System (O/S)
command on it.
About Yiannis Pavlosoglou
There is a world of numbers, hiding behind letters, inside computers,
this is what stimulates my work. I am currently employed in IT risk
management within the financial industry, running a team of technical
risk assessors.
Prior to this, I spent 5 years in the world of
professional penetration testing. I focused my career evolution on
assisting large scale projects actually implement secure development
practices. This included teaching developers how to write secure code.
For OWASP, I was the project leader for JBroFuzz and used to chair the
Global Industry Committee. I am on the Application Security Advisory
Board of the (ISC)2.
My academic qualifications include a PhD in
information security, designing routing protocols for ad-hoc networks.
I am a certified scrum master and hold the CISSP certification.The OWASP WebSpa Project
The OWASP WebSpa project…<b>The OWASP WebSpa Project</b>
The OWASP WebSpa project is a tool implementing the novel idea of web
knocking. The term web knocking stems from port knocking, If port
knocking is defined as "a form of host-to-host communication in which
information flows across closed ports" then we define web knocking as
a form of host-to-host communication in which information flows across
erroneous URLs.
In this podcast we present this web knocking tool for
sending a single HTTP/S request to your web server, in order to
authorise the execution of a preselected Operating System (O/S)
command on it.
<b>About Yiannis Pavlosoglou</b>
There is a world of numbers, hiding behind letters, inside computers,
this is what stimulates my work. I am currently employed in IT risk
management within the financial industry, running a team of technical
risk assessors.
Prior to this, I spent 5 years in the world of
professional penetration testing. I focused my career evolution on
assisting large scale projects actually implement secure development
practices. This included teaching developers how to write secure code.
For OWASP, I was the project leader for JBroFuzz and used to chair the
Global Industry Committee. I am on the Application Security Advisory
Board of the (ISC)2.
My academic qualifications include a PhD in
information security, designing routing protocols for ad-hoc networks.
I am a certified scrum master and hold the CISSP certification.tag:soundcloud,2010:tracks/1358484512014 AppSec APAC - History and Overview (Japanese and English)Thu, 20 Feb 2014 17:29:58 +0000https://soundcloud.com/owasp-podcast/2014-appsec-apac-history-and
00:17:58OWASP 24/7noI was able to have a wonderful conversation with Riotaro Okada and Robert Dracea this morning, talking about the upcoming AppSec APAC conference in Tokyo. This interview is unique, in that we have the English and Japanese responses integrated into the conversation.
This is the first event of its kind in Japan and you can tell the locals are very excited about the possibilities, from internationally recognized speakers to showing visitors the hospitality of Japan. We begin the discussion with how the Tokyo OWASP chapter was started and how it led to the AppSec APAC Conference.
Riotaro Okada Researcher
Born in Kobe, Hyogo Prefecture, Japan, Mr. Okada has over 20 years of experience in software development and network construction. He has been involved in network construction, software development and the implementation of information security measures at independent software development companies, the R&D divisions of manufacturing companies as well as consulting firms. Mr. Okada has also facilitated various technology-related communities such as for Linux and PHP. In 2004, he founded the Web Application Security Forum and as a member of the board became involved in the diffusion of security-related information. Moreover, he was also a researcher at the Information-technology Promotion Agency, Japan (IPA) for 8 years, and responsible for the IT strategy as well as disaster response projects at various government organizations. Mr. Okada is the co-leader of OWASP Japan since its founding, is CISA certified and holds an MBA from BBT (2009).
Robert Dracea
Mr. Dracea is responsible for the global strategy of a Japanese internet service company. With the mission of better sharing Japan’s advanced technological power with the world, from a business perspective, he has successfully architected numerous alliances and tie-ups both domestically in Japan as well as overseas. Additionally, he has also, on a volunteer-basis, conducted the translation and interpretation at multilingual OWASP Meetings. Mr. Dracea has been since its founding a member of the OWASP Japan Advisory Board.I was able to have a wonderful conversation with …I was able to have a wonderful conversation with Riotaro Okada and Robert Dracea this morning, talking about the upcoming AppSec APAC conference in Tokyo. This interview is unique, in that we have the English and Japanese responses integrated into the conversation.
This is the first event of its kind in Japan and you can tell the locals are very excited about the possibilities, from internationally recognized speakers to showing visitors the hospitality of Japan. We begin the discussion with how the Tokyo OWASP chapter was started and how it led to the AppSec APAC Conference.
<b>Riotaro Okada Researcher</b>
Born in Kobe, Hyogo Prefecture, Japan, Mr. Okada has over 20 years of experience in software development and network construction. He has been involved in network construction, software development and the implementation of information security measures at independent software development companies, the R&D divisions of manufacturing companies as well as consulting firms. Mr. Okada has also facilitated various technology-related communities such as for Linux and PHP. In 2004, he founded the Web Application Security Forum and as a member of the board became involved in the diffusion of security-related information. Moreover, he was also a researcher at the Information-technology Promotion Agency, Japan (IPA) for 8 years, and responsible for the IT strategy as well as disaster response projects at various government organizations. Mr. Okada is the co-leader of OWASP Japan since its founding, is CISA certified and holds an MBA from BBT (2009).
<b>Robert Dracea</b>
Mr. Dracea is responsible for the global strategy of a Japanese internet service company. With the mission of better sharing Japan’s advanced technological power with the world, from a business perspective, he has successfully architected numerous alliances and tie-ups both domestically in Japan as well as overseas. Additionally, he has also, on a volunteer-basis, conducted the translation and interpretation at multilingual OWASP Meetings. Mr. Dracea has been since its founding a member of the OWASP Japan Advisory Board.tag:soundcloud,2010:tracks/135680987AppSec Europe 2014 - What To Expect with Host Adrian WincklesWed, 19 Feb 2014 18:18:02 +0000https://soundcloud.com/owasp-podcast/appsec-europe-2014-what-to
00:07:54OWASP 24/7noThe planning for AppSec Europe 2014, Cambridge is in full swing. I caught up with conference manager Adrian Winckles to see how things are shaping up. The planning for AppSec Europe 2014, Cambridge is…The planning for AppSec Europe 2014, Cambridge is in full swing. I caught up with conference manager Adrian Winckles to see how things are shaping up. tag:soundcloud,2010:tracks/135527835AppSec USA 2013 – Mark Arnold Talks about the Boston OWASP ChapterTue, 18 Feb 2014 20:37:50 +0000https://soundcloud.com/owasp-podcast/appsec-usa-2014-mark-arnold
00:10:42OWASP 24/7noMark Arnold helps run a very successful OWASP chapter in Boston. In this extended discussion, I talk with Mark about why the chapter is doing so well, what lessons others could learn from his chapter's success and what he would like to see happen to gain a broader audience for the group.
About Mark Arnold
Mark Arnold is Director of Information Security for PTC, a global leader helping companies achieve and sustain service and product advantage. He has served in various security roles and capacities across multiple industries and as a security consultant. Mark continues to provide leadership by serving on a mix of technology (OWASP Boston, Risk I/O/CISO Advisor) and community boards. He helped launch the Boston Application Security Conference, an OWASP event, as a way to promote application security to local area college/university and secondary school students. Mark advocates bridging the digital and technical divide, supporting various STEM initiatives and encouraging increased minority and gender representation in the security field and its disciplines. He holds a BSEE from Stanford University, MDiv from Princeton Seminary, AM/PhD degrees from Harvard University, and industry certifications. Mark Arnold helps run a very successful OWASP cha…Mark Arnold helps run a very successful OWASP chapter in Boston. In this extended discussion, I talk with Mark about why the chapter is doing so well, what lessons others could learn from his chapter's success and what he would like to see happen to gain a broader audience for the group.
<b>About Mark Arnold</b>
Mark Arnold is Director of Information Security for PTC, a global leader helping companies achieve and sustain service and product advantage. He has served in various security roles and capacities across multiple industries and as a security consultant. Mark continues to provide leadership by serving on a mix of technology (OWASP Boston, Risk I/O/CISO Advisor) and community boards. He helped launch the Boston Application Security Conference, an OWASP event, as a way to promote application security to local area college/university and secondary school students. Mark advocates bridging the digital and technical divide, supporting various STEM initiatives and encouraging increased minority and gender representation in the security field and its disciplines. He holds a BSEE from Stanford University, MDiv from Princeton Seminary, AM/PhD degrees from Harvard University, and industry certifications. tag:soundcloud,2010:tracks/132297304OWASP Statement on the Security of the Internet 2014Fri, 31 Jan 2014 04:03:03 +0000https://soundcloud.com/owasp-podcast/owasp-statement-on-the
00:14:14OWASP 24/7noNot making a statement can be a statement in its own right." -- Tobias Gondrom
Earlier this week, OWASP released a statement after an internal debate regarding recent allegations that RSA had weakened its encryption while receiving $10 million dollars from the NSA. There was heated discussion about whether or not to publish a statement. Would it be perceived as political? What is OWASP's responsibility when it comes to defending the trustworthiness of software?
I spoke with Tobias Gondrom and Eoin Keary about that debate. Their premise is that this is not a political statement, but a clarification to keep OWASP focused on its original mission.
Not making a statement can be a statement in its …<i>Not making a statement can be a statement in its own right." -- Tobias Gondrom</i>
Earlier this week, <a href="https://www.owasp.org/index.php/OWASP_Statement_on_the_Security_of_the_Internet_2014">OWASP released a statement</a> after an internal debate regarding recent allegations that RSA had weakened its encryption while receiving $10 million dollars from the NSA. There was heated discussion about whether or not to publish a statement. Would it be perceived as political? What is OWASP's responsibility when it comes to defending the trustworthiness of software?
I spoke with Tobias Gondrom and Eoin Keary about that debate. Their premise is that this is not a political statement, but a clarification to keep OWASP focused on its original mission.
tag:soundcloud,2010:tracks/129503584AppSec APAC 2014 with Tobias Gondrom – What To ExpectTue, 14 Jan 2014 17:19:54 +0000https://soundcloud.com/owasp-podcast/appsec-apac-2014-what-to
00:07:09OWASP 24/7noThe OWASP team in Japan are putting the finishing touches on the big AppSec APAC Conference that is being held in March 2014. I spoke with Tobias Gondrom, keynote speaker for the conference, and asked him to fill us in on why this conference is unique and why you should consider attending. The OWASP team in Japan are putting the finishing…The OWASP team in Japan are putting the finishing touches on the big AppSec APAC Conference that is being held in March 2014. I spoke with Tobias Gondrom, keynote speaker for the conference, and asked him to fill us in on why this conference is unique and why you should consider attending. tag:soundcloud,2010:tracks/129337807AppSec USA 2013 - Larry Conklin and the Code Review Book ProjectMon, 13 Jan 2014 18:20:17 +0000https://soundcloud.com/owasp-podcast/appsec-usa-2014-larry-conklin
00:10:46OWASP 24/7no"I am a developer and one of the things I hate are code reviews." -- Larry Conklin
Larry Conklin is a developer and as a developer, he HATES code reviews. Because of this, he now heads the OWASP "Code Review Book" project which is creating a definitive guideline that allows companies to proceed with code reviews based upon technical facts, not emotions or intuition. I spoke with Larry at AppSec USA 2014. Dennis Groves was also there, so you'll hear him interject with a question in the middle of the program.
About Larry Conklin
Larry Conklin's current emphasis is in Microsoft .NET technologies including C#, VB.NET, and SQL Server. Recent project experiences include converting legacy VB software to .NET, creating and maintaining operational support web sites to help QuikTrip manage it’s 600+ stores
"I am a developer and one of the things I hate ar…<i>"I am a developer and one of the things I hate are code reviews." -- Larry Conklin</i>
Larry Conklin is a developer and as a developer, he HATES code reviews. Because of this, he now heads the OWASP "Code Review Book" project which is creating a definitive guideline that allows companies to proceed with code reviews based upon technical facts, not emotions or intuition. I spoke with Larry at AppSec USA 2014. Dennis Groves was also there, so you'll hear him interject with a question in the middle of the program.
<b>About <a href="https://www.owasp.org/index.php/User:Larry_Conklin">Larry Conklin</a></b>
Larry Conklin's current emphasis is in Microsoft .NET technologies including C#, VB.NET, and SQL Server. Recent project experiences include converting legacy VB software to .NET, creating and maintaining operational support web sites to help QuikTrip manage it’s 600+ stores
tag:soundcloud,2010:tracks/128381741AppSec USA 2013: Jim Manico - Life after OWASP PodcastingTue, 07 Jan 2014 20:55:57 +0000https://soundcloud.com/owasp-podcast/jim-manico-life-after-owasp
00:13:01OWASP 24/7no"For an organization to really mature around application security, they need to be building security into their software from day one." -- Jim Manico
Jim Manico started the OWASP podcast series in 2008. In that time, he has recorded close to 100 interviews to keep the community updated on the lastest project development within OWASP. As Jim reaches his 100th episode, he reminisces about how the series was started, what his original vision was and what he's going to do now that he has passed the reins over and moves on to other projects. We start with a question about the origins of the project and how it grew.
"It's easy to talk about to talk about the 'purity' of software development, but managing a fleet of already insecure apps is an equally difficult problem." -- Jim Manico
About Jim Manico
Jim Manico wasl elected as an OWASP Global Board Member as of January 1, 2013. He been an active member of OWASP since 2008. He is the VP of Security Architecture at WhiteHat Security.
Jim's main passion at OWASP is supporting projects that help developers write secure code.
"For an organization to really mature around appl…<i>"For an organization to really mature around application security, they need to be building security into their software from day one." -- Jim Manico</i>
Jim Manico started the OWASP podcast series in 2008. In that time, he has recorded close to 100 interviews to keep the community updated on the lastest project development within OWASP. As Jim reaches his 100th episode, he reminisces about how the series was started, what his original vision was and what he's going to do now that he has passed the reins over and moves on to other projects. We start with a question about the origins of the project and how it grew.
"It's easy to talk about to talk about the 'purity' of software development, but managing a fleet of already insecure apps is an equally difficult problem." -- Jim Manico
<b>About Jim Manico</b>
Jim Manico wasl elected as an OWASP Global Board Member as of January 1, 2013. He been an active member of OWASP since 2008. He is the VP of Security Architecture at WhiteHat Security.
Jim's main passion at OWASP is supporting projects that help developers write secure code.
tag:soundcloud,2010:tracks/125608782AppSec USA 2013 - Abbas Naderi and the OWASP PHP Security ProjectThu, 19 Dec 2013 18:18:03 +0000https://soundcloud.com/owasp-podcast/appsec-usa-2013-abbas-naderi
00:11:23OWASP 24/7no"There are a lot of security flaws in websites like Facebook and WordPress applications. Most of those flaws are because the developers first create the application and then consider the security." -- Abbas Naderi
PHP is one of the most used programming languages for the web. The problem with PHP has always been that it's easy to get started programming with PHP, but that's also one of its biggest flaws when considering application security. Abbas Naderi leads the OWASP PHP Security Project, which is a sample framework to demonstrate proper usage of the tools and libraries, as well as providing guidelines for new PHP projects. In this segment of OWASP 24/7, I talk with Abbas about the PHPSEC project as well as one of his other project, RBAC.
About Abbas Naderi
Abbas Naderi Afooshteh is a renowned security expert in the middle east, he has ranked first in many national and global CTFs and has been in the field for more than 8 years. He is the current Iran Chapter Leader at OWASP, and has 5 years of activity in OWASP resulting in many projects such as OWASP RBAC Project, OWASP PHP Security Project, OWASP WebGoatPHP Project and etc. He has participated in many other projects such as Cheat Sheets and ESAPI.
Abbas has studied software engineering and information technology in his BS and MS and is now going to CMU to study Information Security for MS+PhD. He spends many hours daily leading OWASP projects and mentoring new enthusiastics that join projects, as well as shaping bright ideas into OWASP projects.More can be found at https://abiusx.com/cv"There are a lot of security flaws in websites li…<i>"There are a lot of security flaws in websites like Facebook and WordPress applications. Most of those flaws are because the developers first create the application and then consider the security." -- Abbas Naderi</i>
PHP is one of the most used programming languages for the web. The problem with PHP has always been that it's easy to get started programming with PHP, but that's also one of its biggest flaws when considering application security. Abbas Naderi leads the OWASP PHP Security Project, which is a sample framework to demonstrate proper usage of the tools and libraries, as well as providing guidelines for new PHP projects. In this segment of OWASP 24/7, I talk with Abbas about the PHPSEC project as well as one of his other project, RBAC.
<b>About Abbas Naderi</b>
Abbas Naderi Afooshteh is a renowned security expert in the middle east, he has ranked first in many national and global CTFs and has been in the field for more than 8 years. He is the current Iran Chapter Leader at OWASP, and has 5 years of activity in OWASP resulting in many projects such as OWASP RBAC Project, OWASP PHP Security Project, OWASP WebGoatPHP Project and etc. He has participated in many other projects such as Cheat Sheets and ESAPI.
Abbas has studied software engineering and information technology in his BS and MS and is now going to CMU to study Information Security for MS+PhD. He spends many hours daily leading OWASP projects and mentoring new enthusiastics that join projects, as well as shaping bright ideas into OWASP projects.More can be found at https://abiusx.com/cvtag:soundcloud,2010:tracks/124695895AppSec USA 2013: Zed Attack Proxy Project with Simon BennettsFri, 13 Dec 2013 19:13:26 +0000https://soundcloud.com/owasp-podcast/zed-attack-proxy-project-with
00:10:48OWASP 24/7no"You can't automate all tests. There are a lot of things you can't find automatically. You have to have somebody who knows what they are looking for." -- Simon Bennetts
In today's segment, I talk with Simon Bennetts, project lead for the OWASP Zed Attack Proxy Project or "ZAP" for short. Simon is working on a user friendly tool for integrated penetration testing of web applications. Our discussion took place at AppSec USA 2013. We begin with an overview of the ZAP project and talk about how it came about.
About Simon Bennetts
Simon Bennetts (a.k.a. Psiinon) has been developing web applications since 1997, and strongly believes that you cannot build secure web applications without knowing how to attack them.
He works for Mozilla as part of their Security Team.
Some of the projects Simon works on:
-- OWASP Zed Attack Proxy project lead
-- OWASP Vulnerable Web Applications Directory Project joint project lead
-- Mozilla Zest project lead
-- Mozilla Plug-n-Hack joint project lead
-- Bodge It Store project lead
-- OWASP Web Application Security Testing Cheat Sheet joint author
-- OWASP AppSensor contributor
-- wavsep contributor
-- OWASP Data Exchange Format project lead (currently inactive)"You can't automate all tests. There are a lot of…<i>"You can't automate all tests. There are a lot of things you can't find automatically. You have to have somebody who knows what they are looking for." -- Simon Bennetts</i>
In today's segment, I talk with Simon Bennetts, project lead for the OWASP <a href="https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project">Zed Attack Proxy Project</a> or "ZAP" for short. Simon is working on a user friendly tool for integrated penetration testing of web applications. Our discussion took place at AppSec USA 2013. We begin with an overview of the ZAP project and talk about how it came about.
<b>About Simon Bennetts</b>
Simon Bennetts (a.k.a. Psiinon) has been developing web applications since 1997, and strongly believes that you cannot build secure web applications without knowing how to attack them.
He works for Mozilla as part of their Security Team.
Some of the projects Simon works on:
-- OWASP Zed Attack Proxy project lead
-- OWASP Vulnerable Web Applications Directory Project joint project lead
-- Mozilla Zest project lead
-- Mozilla Plug-n-Hack joint project lead
-- Bodge It Store project lead
-- OWASP Web Application Security Testing Cheat Sheet joint author
-- OWASP AppSensor contributor
-- wavsep contributor
-- OWASP Data Exchange Format project lead (currently inactive)tag:soundcloud,2010:tracks/124165361AppSec USA 2013 - Michael Coates on the AppSensor ProjectTue, 10 Dec 2013 16:03:18 +0000https://soundcloud.com/owasp-podcast/appsec-usa-2013-michael-coates
00:11:09OWASP 24/7noMichael Coates has a vision: smart applications that come to their own defense.
"We need to get to that point where we realize that our apps are in a military zone, they are being attacked all the time." -- Michael Coates
In this segment of OWASP 24/7, I speak with Michael Coates, Chairman of the OWASP Board and the founder of the AppSensor Project. Michael's contention is that applications should be smarter, that an app should "know" when it is being attacked and have a proactive, built-in response. We discuss the AppSensor project in depth: what is it, why was it created. We start our discussion with the background and reasoning behind the project.
"The real damage is when they know how your application works. They attack your business logic. They do things to violate the custom aspects of your application." -- Michael Coates
About Michael Coates
Michael Coates is the Chairman of the OWASP board. In addition, he is the creator of OWASP AppSensor, a project dedicated to creating attack aware applications that leverage real time detection and response capabilities.
Michael is also the Director of Product Security at Shape Security, a Silicon Valley startup developing an entirely new type of web security product to protect web sites against modern attacks.
Previously, Michael was the Director of Security Assurance at Mozilla where he founded and grew the Security Assurance and Web Security programs to 25 people.
Throughout Michael's career he has advised major corporations and governments on secure architecture and software security. He’s also performed hundreds of technical security assessments for financial, enterprise, and cellular customers worldwide. Michael also maintains a security blog at michael-coates.blogspot.com
Michael holds a Master of Science degree in Computer, Information and Network Security from DePaul University and a Bachelor of Science degree in Computer Science from the University of Illinois at Urbana-Champaign.Michael Coates has a vision: smart applications t…Michael Coates has a vision: smart applications that come to their own defense.
<i>"We need to get to that point where we realize that our apps are in a military zone, they are being attacked all the time." -- Michael Coates</i>
In this segment of OWASP 24/7, I speak with Michael Coates, Chairman of the OWASP Board and the founder of the AppSensor Project. Michael's contention is that applications should be smarter, that an app should "know" when it is being attacked and have a proactive, built-in response. We discuss the AppSensor project in depth: what is it, why was it created. We start our discussion with the background and reasoning behind the project.
<i>"The real damage is when they know how your application works. They attack your business logic. They do things to violate the custom aspects of your application." -- Michael Coates</i>
<b>About Michael Coates</b>
Michael Coates is the Chairman of the OWASP board. In addition, he is the creator of OWASP AppSensor, a project dedicated to creating attack aware applications that leverage real time detection and response capabilities.
Michael is also the Director of Product Security at Shape Security, a Silicon Valley startup developing an entirely new type of web security product to protect web sites against modern attacks.
Previously, Michael was the Director of Security Assurance at Mozilla where he founded and grew the Security Assurance and Web Security programs to 25 people.
Throughout Michael's career he has advised major corporations and governments on secure architecture and software security. He’s also performed hundreds of technical security assessments for financial, enterprise, and cellular customers worldwide. Michael also maintains a security blog at michael-coates.blogspot.com
Michael holds a Master of Science degree in Computer, Information and Network Security from DePaul University and a Bachelor of Science degree in Computer Science from the University of Illinois at Urbana-Champaign.tag:soundcloud,2010:tracks/122893510AppSec USA 2013 - The OWASP Application Security CISO Guide with Marco Morana and Tobias GondromMon, 02 Dec 2013 17:11:51 +0000https://soundcloud.com/owasp-podcast/appsecusa2013-cisoguide
00:27:35OWASP 24/7no"The CISCO Guide provides guidance and visibility to CISOs on how to initiate an application security program, how to make the business case, how to manage the risks of applications and how to measure the those risks. The guide is structured as a journey, because application security is not a destination, it is a journey." Marco Marona
Marco Marona, is the coordinator of the OWASP Application Security Guide For CISOs Project and Tobias Gondrom is the project lead for the OWASP CISO Survey. They have combined resources to provide us when a CISO framework for implementing an application security program. During our discussion at AppSec USA 2013, we talked about the origin of the projects and how they can be used to make a business case for application security.
"If you have a security strategy that is about a two year time frame, you have a higher chance of increasing your application security investments.The question is then, 'How do you write that strategy?' That question is answered in the CISO Guide." -- Tobias Gondrom
I start by asking Marco about the purpose of the CISO Guide."The CISCO Guide provides guidance and visibility…<i>"The CISCO Guide provides guidance and visibility to CISOs on how to initiate an application security program, how to make the business case, how to manage the risks of applications and how to measure the those risks. The guide is structured as a journey, because application security is not a destination, it is a journey." Marco Marona</i>
Marco Marona, is the coordinator of the OWASP Application Security Guide For CISOs Project and Tobias Gondrom is the project lead for the OWASP CISO Survey. They have combined resources to provide us when a CISO framework for implementing an application security program. During our discussion at AppSec USA 2013, we talked about the origin of the projects and how they can be used to make a business case for application security.
<i>"If you have a security strategy that is about a two year time frame, you have a higher chance of increasing your application security investments.The question is then, 'How do you write that strategy?' That question is answered in the CISO Guide." -- Tobias Gondrom</i>
I start by asking Marco about the purpose of the CISO Guide.tag:soundcloud,2010:tracks/122041902AppSec USA 2013 - The Purpose of OWASP, an Interview with Co-Founder Dennis GrovesTue, 26 Nov 2013 21:24:44 +0000https://soundcloud.com/owasp-podcast/the-purpose-of-owasp-an
00:18:23OWASP 24/7noMany people in the OWASP community don't know Dennis Groves... and that's a surprise since he is one of the co-founders of the movement. I was able to catch up with Dennis at AppSec USA in New York City (November 19, 2013) and we had an interesting discussion about the beginnings of OWASP and what he sees in the future.
Highlights of our Discussion
* The event that triggered the inspiration for OWASP
* The original purpose of OWASP
* The use of OWASP as a de facto standard
* Future vision for OWASP
* The dilemma of community obligation
About Dennis Groves
Dennis Groves's work focuses on a multidisciplinary approach to risk management. He is particularly interested in risk, randomness, and uncertainty. He holds an MSc in Information Security from the University of Royal Holloway where his thesis received a distinction. He is currently a UK expert for the UK mirror of ISO subcommittee 27, IT Security Techniques, working group 4, Security Controls and Services at the British Standards Institute.
He is most well known for co-founding OWASP. His contributions to OWASP include the ‘OWASP Guide (v1)’ downloaded over 2 million times; now a reference document in the PCI DSS standard, and the de-facto standard for securing web applications. He is a thought leader in the web application security space, where he has spent the last decade of his career.
Dennis Groves has been an Security Architect, Ethical Hacker, Web Application Security Consultant, IT Security Consultant, System Administrator, Network Administrator, and a Software Engineer. He has taught various courses on information security and is best known for his ability to bring fresh insight to difficult security problems.
Specialties:Risk Management, Threat Modeling, Security Architecture, Application Security, and "the big picture".Many people in the OWASP community don't know Den…Many people in the OWASP community don't know Dennis Groves... and that's a surprise since he is one of the co-founders of the movement. I was able to catch up with Dennis at AppSec USA in New York City (November 19, 2013) and we had an interesting discussion about the beginnings of OWASP and what he sees in the future.
<b>Highlights of our Discussion</b>
* The event that triggered the inspiration for OWASP
* The original purpose of OWASP
* The use of OWASP as a de facto standard
* Future vision for OWASP
* The dilemma of community obligation
<b>About Dennis Groves</b>
Dennis Groves's work focuses on a multidisciplinary approach to risk management. He is particularly interested in risk, randomness, and uncertainty. He holds an MSc in Information Security from the University of Royal Holloway where his thesis received a distinction. He is currently a UK expert for the UK mirror of ISO subcommittee 27, IT Security Techniques, working group 4, Security Controls and Services at the British Standards Institute.
He is most well known for co-founding OWASP. His contributions to OWASP include the ‘OWASP Guide (v1)’ downloaded over 2 million times; now a reference document in the PCI DSS standard, and the de-facto standard for securing web applications. He is a thought leader in the web application security space, where he has spent the last decade of his career.
Dennis Groves has been an Security Architect, Ethical Hacker, Web Application Security Consultant, IT Security Consultant, System Administrator, Network Administrator, and a Software Engineer. He has taught various courses on information security and is best known for his ability to bring fresh insight to difficult security problems.
Specialties:Risk Management, Threat Modeling, Security Architecture, Application Security, and "the big picture".tag:soundcloud,2010:tracks/121995959AppSec USA 2013 - OWASP Panel on Using Components with Known VulnerabilitiesTue, 26 Nov 2013 16:16:35 +0000https://soundcloud.com/owasp-podcast/appsec-usa-2013-owasp-panel-on
00:48:58OWASP 24/7noLast week at AppSec USA in New York City (November 20, 2013), I moderated a panel with Jeff Williams and Ryan Berg talking about the latest addition to the OWASP Top 10, Using Components with Known Vulnerabilities. This is the full recording of that session.
Last week at AppSec USA in New York City (Novembe…Last week at AppSec USA in New York City (November 20, 2013), I moderated a panel with Jeff Williams and Ryan Berg talking about the latest addition to the OWASP Top 10, Using Components with Known Vulnerabilities. This is the full recording of that session.
tag:soundcloud,2010:tracks/121852019AppSec USA 2013 - Wait, Wait... Don't Pwn Me!Mon, 25 Nov 2013 18:53:03 +0000https://soundcloud.com/owasp-podcast/appsec-usa-2013-wait-wait-dont
00:41:29OWASP 24/7noOn today's segment, we're going to take a different approach from our normal format. I was at the AppSec USA Conference in New York City last week and was asked to chair a panel for the game show "Wait, wait... don't pwn me!". This is the full recording of the session. As you listen, keep in mind, every situation described within the game is true. Let's start first with the introductions of Chris Eng, Josh Corman and Space Rogue.On today's segment, we're going to take a differe…On today's segment, we're going to take a different approach from our normal format. I was at the AppSec USA Conference in New York City last week and was asked to chair a panel for the game show "Wait, wait... don't pwn me!". This is the full recording of the session. As you listen, keep in mind, every situation described within the game is true. Let's start first with the introductions of Chris Eng, Josh Corman and Space Rogue.tag:soundcloud,2010:tracks/119203243Tom Brennan - What to expect at AppSecUSA 2013Fri, 08 Nov 2013 19:44:24 +0000https://soundcloud.com/owasp-podcast/tom-brennan-what-to-expect-at
00:14:58OWASP 24/7noIn this segment, I talk with Tom Brennan, the organizer of AppSecUSA 2013 in New York City. The conversation centers around what's going on in New York, why Tom took on the project and what makes AppSec conferences special.
About Tom Brannen
Tom Brennan is volunteer to the OWASP Foundation since 2004 when he founded the New Jersey Chapter after serving on the Board of Directors for the FBI Infragard program in New Jersey. The NJ OWASP Chapter later merged with the New York City Chapter in 2006.
Tom was appointed to the Global Board of Directors in 2007 by his peers and was re-elected by the membership in 2012 for another two year term.
During his leadership of OWASP Foundation he has led many global and local initiatives for OWASP including governance, fund raising via conferences and membership and business marketing.
In this segment, I talk with Tom Brennan, the org…In this segment, I talk with Tom Brennan, the organizer of AppSecUSA 2013 in New York City. The conversation centers around what's going on in New York, why Tom took on the project and what makes AppSec conferences special.
<b>About Tom Brannen</b>
Tom Brennan is volunteer to the OWASP Foundation since 2004 when he founded the New Jersey Chapter after serving on the Board of Directors for the FBI Infragard program in New Jersey. The NJ OWASP Chapter later merged with the New York City Chapter in 2006.
Tom was appointed to the Global Board of Directors in 2007 by his peers and was re-elected by the membership in 2012 for another two year term.
During his leadership of OWASP Foundation he has led many global and local initiatives for OWASP including governance, fund raising via conferences and membership and business marketing.
tag:soundcloud,2010:tracks/118947082Kelly Santalucia - Growing OWASP and the Outreach ProgramsThu, 07 Nov 2013 04:56:59 +0000https://soundcloud.com/owasp-podcast/kelly-santalucia-growing-owasp
00:12:12OWASP 24/7noIn this segment of OWASP 24/7, I talk with Kelly Santalucia about what it takes to grow OWASP, how she's working with the outreach foundation, the outreach program for kids, the diversification of the membership... things that are helping the community grow. We also talk about what OWASP will look like in the future as virtual chapter meetings become an integral part of the platform. I began by asking Kelly what her job responsibilities are with OWASP.In this segment of OWASP 24/7, I talk with Kelly …In this segment of OWASP 24/7, I talk with Kelly Santalucia about what it takes to grow OWASP, how she's working with the outreach foundation, the outreach program for kids, the diversification of the membership... things that are helping the community grow. We also talk about what OWASP will look like in the future as virtual chapter meetings become an integral part of the platform. I began by asking Kelly what her job responsibilities are with OWASP.tag:soundcloud,2010:tracks/118668048Kate Hartmann - The Future of Virtual Chapter MeetingsTue, 05 Nov 2013 12:51:41 +0000https://soundcloud.com/owasp-podcast/kate-hartmann-the-future-of
00:14:26OWASP 24/7noKate Hartmann is Operations Director of OWASP. She is responsible for creating and maintaining the platform for the OWASP organization Kate has a unique perspective on how virtual meetings are becoming an important tool for the global community. We start our discussion with Kate talking about her typical day at OWASP... which begins with a full pot of coffee to get her jumpstarted.
About Kate Hartmann
Kate joined the OWASP Foundation May 2008. Her work within the OWASP Foundation includes supervising and facilitating the completion of operationally critical tasks. She provides direction to the operational team by mapping out cross-committee objectives and identifying opportunities that promote the Foundation's short term and long term strategic goals.
Kate has a B.A. in English and History from VA Tech in Blacksburg, VA. Prior to joining the OWASP Foundation, she worked with Government funding sources in the Healthcare Industry.Kate Hartmann is Operations Director of OWASP. Sh…Kate Hartmann is Operations Director of OWASP. She is responsible for creating and maintaining the platform for the OWASP organization Kate has a unique perspective on how virtual meetings are becoming an important tool for the global community. We start our discussion with Kate talking about her typical day at OWASP... which begins with a full pot of coffee to get her jumpstarted.
<b>About Kate Hartmann</b>
Kate joined the OWASP Foundation May 2008. Her work within the OWASP Foundation includes supervising and facilitating the completion of operationally critical tasks. She provides direction to the operational team by mapping out cross-committee objectives and identifying opportunities that promote the Foundation's short term and long term strategic goals.
Kate has a B.A. in English and History from VA Tech in Blacksburg, VA. Prior to joining the OWASP Foundation, she worked with Government funding sources in the Healthcare Industry.tag:soundcloud,2010:tracks/117957017Sarah Baso - What does it take to support 43,000 members in 100+ countries?Thu, 31 Oct 2013 16:29:36 +0000https://soundcloud.com/owasp-podcast/sarah-baso-43-000-members-160
00:20:02OWASP 24/7noSarah Baso is the Executive Director of OWASP. Her day to day responsibilities include managing a membership of over 43,000 people in 100+ countries. What does it take to run an organization this size and how do you prepare for the future without getting bogged down in the details.
About Sarah Baso
Sarah is based in San Francisco, Californa, USA and has been the Executive Director of the OWASP Foundation since April 2013. In this role, she supervises the paid OWASP staff in addition to administering all programs and operations of the OWASP Foundation, reporting to the OWASP Board of Directors.Sarah Baso is the Executive Director of OWASP. He…Sarah Baso is the Executive Director of OWASP. Her day to day responsibilities include managing a membership of over 43,000 people in 100+ countries. What does it take to run an organization this size and how do you prepare for the future without getting bogged down in the details.
<b>About Sarah Baso</b>
Sarah is based in San Francisco, Californa, USA and has been the Executive Director of the OWASP Foundation since April 2013. In this role, she supervises the paid OWASP staff in addition to administering all programs and operations of the OWASP Foundation, reporting to the OWASP Board of Directors.tag:soundcloud,2010:tracks/117826592Samantha Groves - Getting the Most from OWASP ProjectsWed, 30 Oct 2013 20:13:56 +0000https://soundcloud.com/owasp-podcast/samantha-groves-owasp-projects
00:17:23OWASP 24/7noAs the Projects Manager for all projects at OWASP (the Open Web Application Security Project), Samantha Groves has deep visibility into the 140 or so projects currently on the boards at OWASP. We start our discussion with what her typical day looks like and then move into how OWASP is changing and the different models for project frameworks.
About Samantha Groves
Samantha Groves is the Project Manager at OWASP. Samantha has led many projects in her career, some of which include website development, brand development, sustainability and socio-behavioural research projects, competitor analysis, event organisation and management, volunteer engagement projects, staff recruitment and training, and marketing department organisation and strategy implementation projects for a variety of commercial and not-for-profit organisations. She is eager to begin her work at OWASP and help the organisation reach its project completion goals.
Samantha earned her MBA in International Management with a concentration in sustainability from Royal Holloway, University of London. She earned her Bachelor's degree majoring in Multimedia from The University of Advancing Technology in Mesa, Arizona, and she earned her Associate's degree from Scottsdale Community College in Scottsdale, Arizona. Additionally, Samantha recently attained her Prince2 (Foundation) project management certification.As the Projects Manager for all projects at OWASP…As the Projects Manager for all projects at OWASP (the Open Web Application Security Project), Samantha Groves has deep visibility into the 140 or so projects currently on the boards at OWASP. We start our discussion with what her typical day looks like and then move into how OWASP is changing and the different models for project frameworks.
<b>About Samantha Groves</b>
Samantha Groves is the Project Manager at OWASP. Samantha has led many projects in her career, some of which include website development, brand development, sustainability and socio-behavioural research projects, competitor analysis, event organisation and management, volunteer engagement projects, staff recruitment and training, and marketing department organisation and strategy implementation projects for a variety of commercial and not-for-profit organisations. She is eager to begin her work at OWASP and help the organisation reach its project completion goals.
Samantha earned her MBA in International Management with a concentration in sustainability from Royal Holloway, University of London. She earned her Bachelor's degree majoring in Multimedia from The University of Advancing Technology in Mesa, Arizona, and she earned her Associate's degree from Scottsdale Community College in Scottsdale, Arizona. Additionally, Samantha recently attained her Prince2 (Foundation) project management certification.